xref: /freebsd/contrib/ntp/ntpd/ntp_proto.c (revision eda14cbc264d6969b02f2b1994cef11148e914f1)
1 /*
2  * ntp_proto.c - NTP version 4 protocol machinery
3  *
4  * ATTENTION: Get approval from Harlan on all changes to this file!
5  *	    (Harlan will be discussing these changes with Dave Mills.)
6  *
7  */
8 #ifdef HAVE_CONFIG_H
9 #include <config.h>
10 #endif
11 
12 #include "ntpd.h"
13 #include "ntp_stdlib.h"
14 #include "ntp_unixtime.h"
15 #include "ntp_control.h"
16 #include "ntp_string.h"
17 #include "ntp_leapsec.h"
18 #include "ntp_psl.h"
19 #include "refidsmear.h"
20 #include "lib_strbuf.h"
21 
22 #include <stdio.h>
23 #ifdef HAVE_LIBSCF_H
24 #include <libscf.h>
25 #endif
26 #ifdef HAVE_UNISTD_H
27 #include <unistd.h>
28 #endif
29 
30 /* [Bug 3031] define automatic broadcastdelay cutoff preset */
31 #ifndef BDELAY_DEFAULT
32 # define BDELAY_DEFAULT (-0.050)
33 #endif
34 
35 #define SRVFUZ_SHIFT	6	/* 64 seconds */
36 #define SRVRSP_FUZZ(x)					\
37 	do {						\
38 		x.l_uf &= 0;				\
39 		x.l_ui &= ~((1 << SRVFUZ_SHIFT) - 1U);	\
40 	} while(0)
41 
42 /*
43  * This macro defines the authentication state. If x is 1 authentication
44  * is required; otherwise it is optional.
45  */
46 #define	AUTH(x, y)	((x) ? (y) == AUTH_OK \
47 			     : (y) == AUTH_OK || (y) == AUTH_NONE)
48 
49 typedef enum
50 auth_state {
51 	AUTH_UNKNOWN = -1,	/* Unknown */
52 	AUTH_NONE,		/* authentication not required */
53 	AUTH_OK,		/* authentication OK */
54 	AUTH_ERROR,		/* authentication error */
55 	AUTH_CRYPTO		/* crypto_NAK */
56 } auth_code;
57 
58 /*
59  * Set up Kiss Code values
60  */
61 
62 typedef enum
63 kiss_codes {
64 	NOKISS,				/* No Kiss Code */
65 	RATEKISS,			/* Rate limit Kiss Code */
66 	DENYKISS,			/* Deny Kiss */
67 	RSTRKISS,			/* Restricted Kiss */
68 	XKISS				/* Experimental Kiss */
69 } kiss_code;
70 
71 typedef enum
72 nak_error_codes {
73 	NONAK,				/* No NAK seen */
74 	INVALIDNAK,			/* NAK cannot be used */
75 	VALIDNAK			/* NAK is valid */
76 } nak_code;
77 
78 /*
79  * traffic shaping parameters
80  */
81 #define	NTP_IBURST	6	/* packets in iburst */
82 #define	RESP_DELAY	1	/* refclock burst delay (s) */
83 
84 /*
85  * pool soliciting restriction duration (s)
86  */
87 #define	POOL_SOLICIT_WINDOW	8
88 
89 /*
90  * flag bits propagated from pool to individual peers
91  */
92 #define POOL_FLAG_PMASK		(FLAG_IBURST | FLAG_NOSELECT)
93 
94 /*
95  * peer_select groups statistics for a peer used by clock_select() and
96  * clock_cluster().
97  */
98 typedef struct peer_select_tag {
99 	struct peer *	peer;
100 	double		synch;	/* sync distance */
101 	double		error;	/* jitter */
102 	double		seljit;	/* selection jitter */
103 } peer_select;
104 
105 /*
106  * System variables are declared here. Unless specified otherwise, all
107  * times are in seconds.
108  */
109 u_char	sys_leap;		/* system leap indicator, use set_sys_leap() to change this */
110 u_char	xmt_leap;		/* leap indicator sent in client requests, set up by set_sys_leap() */
111 u_char	sys_stratum;		/* system stratum */
112 s_char	sys_precision;		/* local clock precision (log2 s) */
113 double	sys_rootdelay;		/* roundtrip delay to root (primary source) */
114 double	sys_rootdisp;		/* dispersion to root (primary source) */
115 double	prev_rootdisp;		/* previous root dispersion */
116 double	p2_rootdisp;		/* previous previous root dispersion */
117 u_int32 sys_refid;		/* reference id (network byte order) */
118 l_fp	sys_reftime;		/* last update time */
119 l_fp	prev_reftime;		/* previous sys_reftime */
120 l_fp	p2_reftime;		/* previous previous sys_reftime */
121 u_long	prev_time;		/* "current_time" when saved prev_time */
122 u_long	p2_time;		/* previous prev_time */
123 struct	peer *sys_peer;		/* current peer */
124 
125 #ifdef LEAP_SMEAR
126 struct leap_smear_info leap_smear;
127 #endif
128 int leap_sec_in_progress;
129 
130 /*
131  * Rate controls. Leaky buckets are used to throttle the packet
132  * transmission rates in order to protect busy servers such as at NIST
133  * and USNO. There is a counter for each association and another for KoD
134  * packets. The association counter decrements each second, but not
135  * below zero. Each time a packet is sent the counter is incremented by
136  * a configurable value representing the average interval between
137  * packets. A packet is delayed as long as the counter is greater than
138  * zero. Note this does not affect the time value computations.
139  */
140 /*
141  * Nonspecified system state variables
142  */
143 int	sys_bclient;		/* broadcast client enable */
144 double	sys_bdelay;		/* broadcast client default delay */
145 int	sys_authenticate;	/* requre authentication for config */
146 l_fp	sys_authdelay;		/* authentication delay */
147 double	sys_offset;	/* current local clock offset */
148 double	sys_mindisp = MINDISPERSE; /* minimum distance (s) */
149 double	sys_maxdist = MAXDISTANCE; /* selection threshold */
150 double	sys_jitter;		/* system jitter */
151 u_long	sys_epoch;		/* last clock update time */
152 static	double sys_clockhop;	/* clockhop threshold */
153 static int leap_vote_ins;	/* leap consensus for insert */
154 static int leap_vote_del;	/* leap consensus for delete */
155 keyid_t	sys_private;		/* private value for session seed */
156 int	sys_manycastserver;	/* respond to manycast client pkts */
157 int	ntp_mode7;		/* respond to ntpdc (mode7) */
158 int	peer_ntpdate;		/* active peers in ntpdate mode */
159 int	sys_survivors;		/* truest of the truechimers */
160 char	*sys_ident = NULL;	/* identity scheme */
161 
162 /*
163  * TOS and multicast mapping stuff
164  */
165 int	sys_floor = 0;		/* cluster stratum floor */
166 u_char	sys_bcpollbstep = 0;	/* Broadcast Poll backstep gate */
167 int	sys_ceiling = STRATUM_UNSPEC - 1; /* cluster stratum ceiling */
168 int	sys_minsane = 1;	/* minimum candidates */
169 int	sys_minclock = NTP_MINCLOCK; /* minimum candidates */
170 int	sys_maxclock = NTP_MAXCLOCK; /* maximum candidates */
171 int	sys_cohort = 0;		/* cohort switch */
172 int	sys_orphan = STRATUM_UNSPEC + 1; /* orphan stratum */
173 int	sys_orphwait = NTP_ORPHWAIT; /* orphan wait */
174 int	sys_beacon = BEACON;	/* manycast beacon interval */
175 u_int	sys_ttlmax;		/* max ttl mapping vector index */
176 u_char	sys_ttl[MAX_TTL];	/* ttl mapping vector */
177 
178 /*
179  * Statistics counters - first the good, then the bad
180  */
181 u_long	sys_stattime;		/* elapsed time */
182 u_long	sys_received;		/* packets received */
183 u_long	sys_processed;		/* packets for this host */
184 u_long	sys_newversion;		/* current version */
185 u_long	sys_oldversion;		/* old version */
186 u_long	sys_restricted;		/* access denied */
187 u_long	sys_badlength;		/* bad length or format */
188 u_long	sys_badauth;		/* bad authentication */
189 u_long	sys_declined;		/* declined */
190 u_long	sys_limitrejected;	/* rate exceeded */
191 u_long	sys_kodsent;		/* KoD sent */
192 
193 /*
194  * Mechanism knobs: how soon do we peer_clear() or unpeer()?
195  *
196  * The default way is "on-receipt".  If this was a packet from a
197  * well-behaved source, on-receipt will offer the fastest recovery.
198  * If this was from a DoS attack, the default way makes it easier
199  * for a bad-guy to DoS us.  So look and see what bites you harder
200  * and choose according to your environment.
201  */
202 int peer_clear_digest_early	= 1;	/* bad digest (TEST5) and Autokey */
203 int unpeer_crypto_early		= 1;	/* bad crypto (TEST9) */
204 int unpeer_crypto_nak_early	= 1;	/* crypto_NAK (TEST5) */
205 int unpeer_digest_early		= 1;	/* bad digest (TEST5) */
206 
207 int dynamic_interleave = DYNAMIC_INTERLEAVE;	/* Bug 2978 mitigation */
208 
209 int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid);
210 nak_code	valid_NAK	(struct peer *peer, struct recvbuf *rbufp, u_char hismode);
211 static	double	root_distance	(struct peer *);
212 static	void	clock_combine	(peer_select *, int, int);
213 static	void	peer_xmit	(struct peer *);
214 static	void	fast_xmit	(struct recvbuf *, int, keyid_t, int);
215 static	void	pool_xmit	(struct peer *);
216 static	void	clock_update	(struct peer *);
217 static	void	measure_precision(void);
218 static	double	measure_tick_fuzz(void);
219 static	int	local_refid	(struct peer *);
220 static	int	peer_unfit	(struct peer *);
221 #ifdef AUTOKEY
222 static	int	group_test	(char *, char *);
223 #endif /* AUTOKEY */
224 #ifdef WORKER
225 void	pool_name_resolved	(int, int, void *, const char *,
226 				 const char *, const struct addrinfo *,
227 				 const struct addrinfo *);
228 #endif /* WORKER */
229 
230 const char *	amtoa		(int am);
231 
232 
233 void
234 set_sys_leap(
235 	u_char new_sys_leap
236 	)
237 {
238 	sys_leap = new_sys_leap;
239 	xmt_leap = sys_leap;
240 
241 	/*
242 	 * Under certain conditions we send faked leap bits to clients, so
243 	 * eventually change xmt_leap below, but never change LEAP_NOTINSYNC.
244 	 */
245 	if (xmt_leap != LEAP_NOTINSYNC) {
246 		if (leap_sec_in_progress) {
247 			/* always send "not sync" */
248 			xmt_leap = LEAP_NOTINSYNC;
249 		}
250 #ifdef LEAP_SMEAR
251 		else {
252 			/*
253 			 * If leap smear is enabled in general we must
254 			 * never send a leap second warning to clients,
255 			 * so make sure we only send "in sync".
256 			 */
257 			if (leap_smear.enabled)
258 				xmt_leap = LEAP_NOWARNING;
259 		}
260 #endif	/* LEAP_SMEAR */
261 	}
262 }
263 
264 
265 /*
266  * Kiss Code check
267  */
268 int
269 kiss_code_check(
270 	u_char hisleap,
271 	u_char hisstratum,
272 	u_char hismode,
273 	u_int32 refid
274 	)
275 {
276 
277 	if (   hismode == MODE_SERVER
278 	    && hisleap == LEAP_NOTINSYNC
279 	    && hisstratum == STRATUM_UNSPEC) {
280 		if(memcmp(&refid,"RATE", 4) == 0) {
281 			return (RATEKISS);
282 		} else if(memcmp(&refid,"DENY", 4) == 0) {
283 			return (DENYKISS);
284 		} else if(memcmp(&refid,"RSTR", 4) == 0) {
285 			return (RSTRKISS);
286 		} else if(memcmp(&refid,"X", 1) == 0) {
287 			return (XKISS);
288 		}
289 	}
290 	return (NOKISS);
291 }
292 
293 
294 /*
295  * Check that NAK is valid
296  */
297 nak_code
298 valid_NAK(
299 	  struct peer *peer,
300 	  struct recvbuf *rbufp,
301 	  u_char hismode
302 	  )
303 {
304 	int		base_packet_length = MIN_V4_PKT_LEN;
305 	int		remainder_size;
306 	struct pkt *	rpkt;
307 	int		keyid;
308 	l_fp		p_org;	/* origin timestamp */
309 	const l_fp *	myorg;	/* selected peer origin */
310 
311 	/*
312 	 * Check to see if there is something beyond the basic packet
313 	 */
314 	if (rbufp->recv_length == base_packet_length) {
315 		return NONAK;
316 	}
317 
318 	remainder_size = rbufp->recv_length - base_packet_length;
319 	/*
320 	 * Is this a potential NAK?
321 	 */
322 	if (remainder_size != 4) {
323 		return NONAK;
324 	}
325 
326 	/*
327 	 * Only server responses can contain NAK's
328 	 */
329 
330 	if (hismode != MODE_SERVER &&
331 	    hismode != MODE_ACTIVE &&
332 	    hismode != MODE_PASSIVE
333 	    ) {
334 		return INVALIDNAK;
335 	}
336 
337 	/*
338 	 * Make sure that the extra field in the packet is all zeros
339 	 */
340 	rpkt = &rbufp->recv_pkt;
341 	keyid = ntohl(((u_int32 *)rpkt)[base_packet_length / 4]);
342 	if (keyid != 0) {
343 		return INVALIDNAK;
344 	}
345 
346 	/*
347 	 * During the first few packets of the autokey dance there will
348 	 * not (yet) be a keyid, but in this case FLAG_SKEY is set.
349 	 * So the NAK is invalid if either there's no peer, or
350 	 * if the keyid is 0 and FLAG_SKEY is not set.
351 	 */
352 	if (!peer || (!peer->keyid && !(peer->flags & FLAG_SKEY))) {
353 		return INVALIDNAK;
354 	}
355 
356 	/*
357 	 * The ORIGIN must match, or this cannot be a valid NAK, either.
358 	 */
359 
360 	if (FLAG_LOOPNONCE & peer->flags) {
361 		myorg = &peer->nonce;
362 	} else {
363 		if (peer->flip > 0) {
364 			myorg = &peer->borg;
365 		} else {
366 			myorg = &peer->aorg;
367 		}
368 	}
369 
370 	NTOHL_FP(&rpkt->org, &p_org);
371 
372 	if (L_ISZERO(&p_org) ||
373 	    L_ISZERO( myorg) ||
374 	    !L_ISEQU(&p_org, myorg)) {
375 		return INVALIDNAK;
376 	}
377 
378 	/* If we ever passed all that checks, we should be safe. Well,
379 	 * as safe as we can ever be with an unauthenticated crypto-nak.
380 	 */
381 	return VALIDNAK;
382 }
383 
384 
385 /*
386  * transmit - transmit procedure called by poll timeout
387  */
388 void
389 transmit(
390 	struct peer *peer	/* peer structure pointer */
391 	)
392 {
393 	u_char	hpoll;
394 
395 	/*
396 	 * The polling state machine. There are two kinds of machines,
397 	 * those that never expect a reply (broadcast and manycast
398 	 * server modes) and those that do (all other modes). The dance
399 	 * is intricate...
400 	 */
401 	hpoll = peer->hpoll;
402 
403 	/*
404 	 * If we haven't received anything (even if unsync) since last
405 	 * send, reset ppoll.
406 	 */
407 	if (peer->outdate > peer->timelastrec && !peer->reach)
408 		peer->ppoll = peer->maxpoll;
409 
410 	/*
411 	 * In broadcast mode the poll interval is never changed from
412 	 * minpoll.
413 	 */
414 	if (peer->cast_flags & (MDF_BCAST | MDF_MCAST)) {
415 		peer->outdate = current_time;
416 		poll_update(peer, hpoll, 0);
417 		if (sys_leap != LEAP_NOTINSYNC)
418 			peer_xmit(peer);
419 		return;
420 	}
421 
422 	/*
423 	 * In manycast mode we start with unity ttl. The ttl is
424 	 * increased by one for each poll until either sys_maxclock
425 	 * servers have been found or the maximum ttl is reached. When
426 	 * sys_maxclock servers are found we stop polling until one or
427 	 * more servers have timed out or until less than sys_minclock
428 	 * associations turn up. In this case additional better servers
429 	 * are dragged in and preempt the existing ones.  Once every
430 	 * sys_beacon seconds we are to transmit unconditionally, but
431 	 * this code is not quite right -- peer->unreach counts polls
432 	 * and is being compared with sys_beacon, so the beacons happen
433 	 * every sys_beacon polls.
434 	 */
435 	if (peer->cast_flags & MDF_ACAST) {
436 		peer->outdate = current_time;
437 		poll_update(peer, hpoll, 0);
438 		if (peer->unreach > sys_beacon) {
439 			peer->unreach = 0;
440 			peer->ttl = 0;
441 			peer_xmit(peer);
442 		} else if (   sys_survivors < sys_minclock
443 			   || peer_associations < sys_maxclock) {
444 			if (peer->ttl < sys_ttlmax)
445 				peer->ttl++;
446 			peer_xmit(peer);
447 		}
448 		peer->unreach++;
449 		return;
450 	}
451 
452 	/*
453 	 * Pool associations transmit unicast solicitations when there
454 	 * are less than a hard limit of 2 * sys_maxclock associations,
455 	 * and either less than sys_minclock survivors or less than
456 	 * sys_maxclock associations.  The hard limit prevents unbounded
457 	 * growth in associations if the system clock or network quality
458 	 * result in survivor count dipping below sys_minclock often.
459 	 * This was observed testing with pool, where sys_maxclock == 12
460 	 * resulted in 60 associations without the hard limit.  A
461 	 * similar hard limit on manycastclient ephemeral associations
462 	 * may be appropriate.
463 	 */
464 	if (peer->cast_flags & MDF_POOL) {
465 		peer->outdate = current_time;
466 		poll_update(peer, hpoll, 0);
467 		if (   (peer_associations <= 2 * sys_maxclock)
468 		    && (   peer_associations < sys_maxclock
469 			|| sys_survivors < sys_minclock))
470 			pool_xmit(peer);
471 		return;
472 	}
473 
474 	/*
475 	 * In unicast modes the dance is much more intricate. It is
476 	 * designed to back off whenever possible to minimize network
477 	 * traffic.
478 	 */
479 	if (peer->burst == 0) {
480 		u_char oreach;
481 
482 		/*
483 		 * Update the reachability status. If not heard for
484 		 * three consecutive polls, stuff infinity in the clock
485 		 * filter.
486 		 */
487 		oreach = peer->reach;
488 		peer->outdate = current_time;
489 		peer->unreach++;
490 		peer->reach <<= 1;
491 		if (!peer->reach) {
492 
493 			/*
494 			 * Here the peer is unreachable. If it was
495 			 * previously reachable raise a trap. Send a
496 			 * burst if enabled.
497 			 */
498 			clock_filter(peer, 0., 0., MAXDISPERSE);
499 			if (oreach) {
500 				peer_unfit(peer);
501 				report_event(PEVNT_UNREACH, peer, NULL);
502 			}
503 			if (   (peer->flags & FLAG_IBURST)
504 			    && peer->retry == 0)
505 				peer->retry = NTP_RETRY;
506 		} else {
507 
508 			/*
509 			 * Here the peer is reachable. Send a burst if
510 			 * enabled and the peer is fit.  Reset unreach
511 			 * for persistent and ephemeral associations.
512 			 * Unreach is also reset for survivors in
513 			 * clock_select().
514 			 */
515 			hpoll = sys_poll;
516 			if (!(peer->flags & FLAG_PREEMPT))
517 				peer->unreach = 0;
518 			if (   (peer->flags & FLAG_BURST)
519 			    && peer->retry == 0
520 			    && !peer_unfit(peer))
521 				peer->retry = NTP_RETRY;
522 		}
523 
524 		/*
525 		 * Watch for timeout.  If ephemeral, toss the rascal;
526 		 * otherwise, bump the poll interval. Note the
527 		 * poll_update() routine will clamp it to maxpoll.
528 		 * If preemptible and we have more peers than maxclock,
529 		 * and this peer has the minimum score of preemptibles,
530 		 * demobilize.
531 		 */
532 		if (peer->unreach >= NTP_UNREACH) {
533 			hpoll++;
534 			/* ephemeral: no FLAG_CONFIG nor FLAG_PREEMPT */
535 			if (!(peer->flags & (FLAG_CONFIG | FLAG_PREEMPT))) {
536 				report_event(PEVNT_RESTART, peer, "timeout");
537 				peer_clear(peer, "TIME");
538 				unpeer(peer);
539 				return;
540 			}
541 			if (   (peer->flags & FLAG_PREEMPT)
542 			    && (peer_associations > sys_maxclock)
543 			    && score_all(peer)) {
544 				report_event(PEVNT_RESTART, peer, "timeout");
545 				peer_clear(peer, "TIME");
546 				unpeer(peer);
547 				return;
548 			}
549 		}
550 	} else {
551 		peer->burst--;
552 		if (peer->burst == 0) {
553 
554 			/*
555 			 * If ntpdate mode and the clock has not been
556 			 * set and all peers have completed the burst,
557 			 * we declare a successful failure.
558 			 */
559 			if (mode_ntpdate) {
560 				peer_ntpdate--;
561 				if (peer_ntpdate == 0) {
562 					msyslog(LOG_NOTICE,
563 					    "ntpd: no servers found");
564 					if (!msyslog_term)
565 						printf(
566 						    "ntpd: no servers found\n");
567 					exit (0);
568 				}
569 			}
570 		}
571 	}
572 	if (peer->retry > 0)
573 		peer->retry--;
574 
575 	/*
576 	 * Do not transmit if in broadcast client mode.
577 	 */
578 	poll_update(peer, hpoll, (peer->hmode == MODE_CLIENT));
579 	if (peer->hmode != MODE_BCLIENT)
580 		peer_xmit(peer);
581 
582 	return;
583 }
584 
585 
586 const char *
587 amtoa(
588 	int am
589 	)
590 {
591 	char *bp;
592 
593 	switch(am) {
594 	    case AM_ERR:	return "AM_ERR";
595 	    case AM_NOMATCH:	return "AM_NOMATCH";
596 	    case AM_PROCPKT:	return "AM_PROCPKT";
597 	    case AM_BCST:	return "AM_BCST";
598 	    case AM_FXMIT:	return "AM_FXMIT";
599 	    case AM_MANYCAST:	return "AM_MANYCAST";
600 	    case AM_NEWPASS:	return "AM_NEWPASS";
601 	    case AM_NEWBCL:	return "AM_NEWBCL";
602 	    case AM_POSSBCL:	return "AM_POSSBCL";
603 	    default:
604 		LIB_GETBUF(bp);
605 		snprintf(bp, LIB_BUFLENGTH, "AM_#%d", am);
606 		return bp;
607 	}
608 }
609 
610 
611 /*
612  * receive - receive procedure called for each packet received
613  */
614 void
615 receive(
616 	struct recvbuf *rbufp
617 	)
618 {
619 	register struct peer *peer;	/* peer structure pointer */
620 	register struct pkt *pkt;	/* receive packet pointer */
621 	u_char	hisversion;		/* packet version */
622 	u_char	hisleap;		/* packet leap indicator */
623 	u_char	hismode;		/* packet mode */
624 	u_char	hisstratum;		/* packet stratum */
625 	r4addr	r4a;			/* address restrictions */
626 	u_short	restrict_mask;		/* restrict bits */
627 	const char *hm_str;		/* hismode string */
628 	const char *am_str;		/* association match string */
629 	int	kissCode = NOKISS;	/* Kiss Code */
630 	int	has_mac;		/* length of MAC field */
631 	int	authlen;		/* offset of MAC field */
632 	auth_code is_authentic = AUTH_UNKNOWN;	/* Was AUTH_NONE */
633 	nak_code crypto_nak_test;	/* result of crypto-NAK check */
634 	int	retcode = AM_NOMATCH;	/* match code */
635 	keyid_t	skeyid = 0;		/* key IDs */
636 	u_int32	opcode = 0;		/* extension field opcode */
637 	sockaddr_u *dstadr_sin;		/* active runway */
638 	struct peer *peer2;		/* aux peer structure pointer */
639 	endpt	*match_ep;		/* newpeer() local address */
640 	l_fp	p_org;			/* origin timestamp */
641 	l_fp	p_rec;			/* receive timestamp */
642 	l_fp	p_xmt;			/* transmit timestamp */
643 #ifdef AUTOKEY
644 	char	hostname[NTP_MAXSTRLEN + 1];
645 	char	*groupname = NULL;
646 	struct autokey *ap;		/* autokey structure pointer */
647 	int	rval;			/* cookie snatcher */
648 	keyid_t	pkeyid = 0, tkeyid = 0;	/* key IDs */
649 #endif	/* AUTOKEY */
650 #ifdef HAVE_NTP_SIGND
651 	static unsigned char zero_key[16];
652 #endif /* HAVE_NTP_SIGND */
653 
654 	/*
655 	 * Note that there are many places we do not call record_raw_stats().
656 	 *
657 	 * We only want to call it *after* we've sent a response, or perhaps
658 	 * when we've decided to drop a packet.
659 	 */
660 
661 	/*
662 	 * Monitor the packet and get restrictions. Note that the packet
663 	 * length for control and private mode packets must be checked
664 	 * by the service routines. Some restrictions have to be handled
665 	 * later in order to generate a kiss-o'-death packet.
666 	 */
667 	/*
668 	 * Bogus port check is before anything, since it probably
669 	 * reveals a clogging attack. Likewise the mimimum packet size
670 	 * of 2 bytes (for mode 6/7) must be checked first.
671 	 */
672 	sys_received++;
673 	if (0 == SRCPORT(&rbufp->recv_srcadr) || rbufp->recv_length < 2) {
674 		sys_badlength++;
675 		return;				/* bogus port / length */
676 	}
677 	restrictions(&rbufp->recv_srcadr, &r4a);
678 	restrict_mask = r4a.rflags;
679 
680 	pkt = &rbufp->recv_pkt;
681 	hisversion = PKT_VERSION(pkt->li_vn_mode);
682 	hismode = (int)PKT_MODE(pkt->li_vn_mode);
683 
684 	if (restrict_mask & RES_IGNORE) {
685 		DPRINTF(2, ("receive: drop: RES_IGNORE\n"));
686 		sys_restricted++;
687 		return;				/* ignore everything */
688 	}
689 	if (hismode == MODE_PRIVATE) {
690 		if (!ntp_mode7 || (restrict_mask & RES_NOQUERY)) {
691 			DPRINTF(2, ("receive: drop: RES_NOQUERY\n"));
692 			sys_restricted++;
693 			return;			/* no query private */
694 		}
695 		process_private(rbufp, ((restrict_mask &
696 		    RES_NOMODIFY) == 0));
697 		return;
698 	}
699 	if (hismode == MODE_CONTROL) {
700 		if (restrict_mask & RES_NOQUERY) {
701 			DPRINTF(2, ("receive: drop: RES_NOQUERY\n"));
702 			sys_restricted++;
703 			return;			/* no query control */
704 		}
705 		process_control(rbufp, restrict_mask);
706 		return;
707 	}
708 	if (restrict_mask & RES_DONTSERVE) {
709 		DPRINTF(2, ("receive: drop: RES_DONTSERVE\n"));
710 		sys_restricted++;
711 		return;				/* no time serve */
712 	}
713 
714 
715 	/* If we arrive here, we should have a standard NTP packet. We
716 	 * check that the minimum size is available and fetch some more
717 	 * items from the packet once we can be sure they are indeed
718 	 * there.
719 	 */
720 	if (rbufp->recv_length < LEN_PKT_NOMAC) {
721 		sys_badlength++;
722 		return;				/* bogus length */
723 	}
724 
725 	hisleap = PKT_LEAP(pkt->li_vn_mode);
726 	hisstratum = PKT_TO_STRATUM(pkt->stratum);
727 	INSIST(0 != hisstratum); /* paranoia check PKT_TO_STRATUM result */
728 
729 	DPRINTF(1, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s "
730 		    "restrict %s org %#010x.%08x xmt %#010x.%08x\n",
731 		    current_time, stoa(&rbufp->dstadr->sin),
732 		    stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
733 		    build_iflags(rbufp->dstadr->flags),
734 		    build_rflags(restrict_mask),
735 		    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
736 		    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
737 
738 	/*
739 	 * This is for testing. If restricted drop ten percent of
740 	 * surviving packets.
741 	 */
742 	if (restrict_mask & RES_FLAKE) {
743 		if ((double)ntp_random() / 0x7fffffff < .1) {
744 			DPRINTF(2, ("receive: drop: RES_FLAKE\n"));
745 			sys_restricted++;
746 			return;			/* no flakeway */
747 		}
748 	}
749 
750 	/*
751 	** Format Layer Checks
752 	**
753 	** Validate the packet format.  The packet size, packet header,
754 	** and any extension field lengths are checked.  We identify
755 	** the beginning of the MAC, to identify the upper limit of
756 	** of the hash computation.
757 	**
758 	** In case of a format layer check violation, the packet is
759 	** discarded with no further processing.
760 	*/
761 
762 	/*
763 	 * Version check must be after the query packets, since they
764 	 * intentionally use an early version.
765 	 */
766 	if (hisversion == NTP_VERSION) {
767 		sys_newversion++;		/* new version */
768 	} else if (   !(restrict_mask & RES_VERSION)
769 		   && hisversion >= NTP_OLDVERSION) {
770 		sys_oldversion++;		/* previous version */
771 	} else {
772 		DPRINTF(2, ("receive: drop: RES_VERSION\n"));
773 		sys_badlength++;
774 		return;				/* old version */
775 	}
776 
777 	/*
778 	 * Figure out his mode and validate the packet. This has some
779 	 * legacy raunch that probably should be removed. In very early
780 	 * NTP versions mode 0 was equivalent to what later versions
781 	 * would interpret as client mode.
782 	 */
783 	if (hismode == MODE_UNSPEC) {
784 		if (hisversion == NTP_OLDVERSION) {
785 			hismode = MODE_CLIENT;
786 		} else {
787 			DPRINTF(2, ("receive: drop: MODE_UNSPEC\n"));
788 			sys_badlength++;
789 			return;			/* invalid mode */
790 		}
791 	}
792 
793 	/*
794 	 * Parse the extension field if present. We figure out whether
795 	 * an extension field is present by measuring the MAC size. If
796 	 * the number of words following the packet header is 0, no MAC
797 	 * is present and the packet is not authenticated. If 1, the
798 	 * packet is a crypto-NAK; if 3, the packet is authenticated
799 	 * with DES; if 5, the packet is authenticated with MD5; if 6,
800 	 * the packet is authenticated with SHA. If 2 or * 4, the packet
801 	 * is a runt and discarded forthwith. If greater than 6, an
802 	 * extension field is present, so we subtract the length of the
803 	 * field and go around again.
804 	 *
805 	 * Note the above description is lame.  We should/could also check
806 	 * the two bytes that make up the EF type and subtype, and then
807 	 * check the two bytes that tell us the EF length.  A legacy MAC
808 	 * has a 4 byte keyID, and for conforming symmetric keys its value
809 	 * must be <= 64k, meaning the top two bytes will always be zero.
810 	 * Since the EF Type of 0 is reserved/unused, there's no way a
811 	 * conforming legacy MAC could ever be misinterpreted as an EF.
812 	 *
813 	 * There is more, but this isn't the place to document it.
814 	 */
815 
816 	authlen = LEN_PKT_NOMAC;
817 	has_mac = rbufp->recv_length - authlen;
818 	while (has_mac > 0) {
819 		u_int32	len;
820 #ifdef AUTOKEY
821 		u_int32	hostlen;
822 		struct exten *ep;
823 #endif /*AUTOKEY */
824 
825 		if (has_mac % 4 != 0 || has_mac < (int)MIN_MAC_LEN) {
826 			DPRINTF(2, ("receive: drop: bad post-packet length\n"));
827 			sys_badlength++;
828 			return;			/* bad length */
829 		}
830 		/*
831 		 * This next test is clearly wrong - it needlessly
832 		 * prohibits short EFs (which don't yet exist)
833 		 */
834 		if (has_mac <= (int)MAX_MAC_LEN) {
835 			skeyid = ntohl(((u_int32 *)pkt)[authlen / 4]);
836 			break;
837 
838 		} else {
839 			opcode = ntohl(((u_int32 *)pkt)[authlen / 4]);
840 			len = opcode & 0xffff;
841 			if (   len % 4 != 0
842 			    || len < 4
843 			    || (int)len + authlen > rbufp->recv_length) {
844 				DPRINTF(2, ("receive: drop: bad EF length\n"));
845 				sys_badlength++;
846 				return;		/* bad length */
847 			}
848 #ifdef AUTOKEY
849 			/*
850 			 * Extract calling group name for later.  If
851 			 * sys_groupname is non-NULL, there must be
852 			 * a group name provided to elicit a response.
853 			 */
854 			if (   (opcode & 0x3fff0000) == CRYPTO_ASSOC
855 			    && sys_groupname != NULL) {
856 				ep = (struct exten *)&((u_int32 *)pkt)[authlen / 4];
857 				hostlen = ntohl(ep->vallen);
858 				if (   hostlen >= sizeof(hostname)
859 				    || hostlen > len -
860 						offsetof(struct exten, pkt)) {
861 					DPRINTF(2, ("receive: drop: bad autokey hostname length\n"));
862 					sys_badlength++;
863 					return;		/* bad length */
864 				}
865 				memcpy(hostname, &ep->pkt, hostlen);
866 				hostname[hostlen] = '\0';
867 				groupname = strchr(hostname, '@');
868 				if (groupname == NULL) {
869 					DPRINTF(2, ("receive: drop: empty autokey groupname\n"));
870 					sys_declined++;
871 					return;
872 				}
873 				groupname++;
874 			}
875 #endif /* AUTOKEY */
876 			authlen += len;
877 			has_mac -= len;
878 		}
879 	}
880 
881 	/*
882 	 * If has_mac is < 0 we had a malformed packet.
883 	 */
884 	if (has_mac < 0) {
885 		DPRINTF(2, ("receive: drop: post-packet under-read\n"));
886 		sys_badlength++;
887 		return;		/* bad length */
888 	}
889 
890 	/*
891 	** Packet Data Verification Layer
892 	**
893 	** This layer verifies the packet data content.  If
894 	** authentication is required, a MAC must be present.
895 	** If a MAC is present, it must validate.
896 	** Crypto-NAK?  Look - a shiny thing!
897 	**
898 	** If authentication fails, we're done.
899 	*/
900 
901 	/*
902 	 * If authentication is explicitly required, a MAC must be present.
903 	 */
904 	if (restrict_mask & RES_DONTTRUST && has_mac == 0) {
905 		DPRINTF(2, ("receive: drop: RES_DONTTRUST\n"));
906 		sys_restricted++;
907 		return;				/* access denied */
908 	}
909 
910 	/*
911 	 * Update the MRU list and finger the cloggers. It can be a
912 	 * little expensive, so turn it off for production use.
913 	 * RES_LIMITED and RES_KOD will be cleared in the returned
914 	 * restrict_mask unless one or both actions are warranted.
915 	 */
916 	restrict_mask = ntp_monitor(rbufp, restrict_mask);
917 	if (restrict_mask & RES_LIMITED) {
918 		sys_limitrejected++;
919 		if (   !(restrict_mask & RES_KOD)
920 		    || MODE_BROADCAST == hismode
921 		    || MODE_SERVER == hismode) {
922 			if (MODE_SERVER == hismode) {
923 				DPRINTF(1, ("Possibly self-induced rate limiting of MODE_SERVER from %s\n",
924 					stoa(&rbufp->recv_srcadr)));
925 			} else {
926 				DPRINTF(2, ("receive: drop: RES_KOD\n"));
927 			}
928 			return;			/* rate exceeded */
929 		}
930 		if (hismode == MODE_CLIENT) {
931 			fast_xmit(rbufp, MODE_SERVER, skeyid,
932 			    restrict_mask);
933 		} else {
934 			fast_xmit(rbufp, MODE_ACTIVE, skeyid,
935 			    restrict_mask);
936 		}
937 		return;				/* rate exceeded */
938 	}
939 	restrict_mask &= ~RES_KOD;
940 
941 	/*
942 	 * We have tossed out as many buggy packets as possible early in
943 	 * the game to reduce the exposure to a clogging attack. Now we
944 	 * have to burn some cycles to find the association and
945 	 * authenticate the packet if required. Note that we burn only
946 	 * digest cycles, again to reduce exposure. There may be no
947 	 * matching association and that's okay.
948 	 *
949 	 * More on the autokey mambo. Normally the local interface is
950 	 * found when the association was mobilized with respect to a
951 	 * designated remote address. We assume packets arriving from
952 	 * the remote address arrive via this interface and the local
953 	 * address used to construct the autokey is the unicast address
954 	 * of the interface. However, if the sender is a broadcaster,
955 	 * the interface broadcast address is used instead.
956 	 * Notwithstanding this technobabble, if the sender is a
957 	 * multicaster, the broadcast address is null, so we use the
958 	 * unicast address anyway. Don't ask.
959 	 */
960 
961 	peer = findpeer(rbufp,  hismode, &retcode);
962 	dstadr_sin = &rbufp->dstadr->sin;
963 	NTOHL_FP(&pkt->org, &p_org);
964 	NTOHL_FP(&pkt->rec, &p_rec);
965 	NTOHL_FP(&pkt->xmt, &p_xmt);
966 	hm_str = modetoa(hismode);
967 	am_str = amtoa(retcode);
968 
969 	/*
970 	 * Authentication is conditioned by three switches:
971 	 *
972 	 * NOPEER  (RES_NOPEER) do not mobilize an association unless
973 	 *         authenticated
974 	 * NOTRUST (RES_DONTTRUST) do not allow access unless
975 	 *         authenticated (implies NOPEER)
976 	 * enable  (sys_authenticate) master NOPEER switch, by default
977 	 *         on
978 	 *
979 	 * The NOPEER and NOTRUST can be specified on a per-client basis
980 	 * using the restrict command. The enable switch if on implies
981 	 * NOPEER for all clients. There are four outcomes:
982 	 *
983 	 * NONE    The packet has no MAC.
984 	 * OK      the packet has a MAC and authentication succeeds
985 	 * ERROR   the packet has a MAC and authentication fails
986 	 * CRYPTO  crypto-NAK. The MAC has four octets only.
987 	 *
988 	 * Note: The AUTH(x, y) macro is used to filter outcomes. If x
989 	 * is zero, acceptable outcomes of y are NONE and OK. If x is
990 	 * one, the only acceptable outcome of y is OK.
991 	 */
992 	crypto_nak_test = valid_NAK(peer, rbufp, hismode);
993 
994 	/*
995 	 * Drop any invalid crypto-NAKs
996 	 */
997 	if (crypto_nak_test == INVALIDNAK) {
998 		report_event(PEVNT_AUTH, peer, "Invalid_NAK");
999 		if (0 != peer) {
1000 			peer->badNAK++;
1001 		}
1002 		msyslog(LOG_ERR, "Invalid-NAK error at %ld %s<-%s",
1003 			current_time, stoa(dstadr_sin), stoa(&rbufp->recv_srcadr));
1004 		return;
1005 	}
1006 
1007 	if (has_mac == 0) {
1008 		restrict_mask &= ~RES_MSSNTP;
1009 		is_authentic = AUTH_NONE; /* not required */
1010 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s len %d org %#010x.%08x xmt %#010x.%08x NOMAC\n",
1011 			    current_time, stoa(dstadr_sin),
1012 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1013 			    authlen,
1014 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1015 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1016 	} else if (crypto_nak_test == VALIDNAK) {
1017 		restrict_mask &= ~RES_MSSNTP;
1018 		is_authentic = AUTH_CRYPTO; /* crypto-NAK */
1019 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s keyid %08x len %d auth %d org %#010x.%08x xmt %#010x.%08x CRYPTONAK\n",
1020 			    current_time, stoa(dstadr_sin),
1021 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1022 			    skeyid, authlen + has_mac, is_authentic,
1023 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1024 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1025 
1026 #ifdef HAVE_NTP_SIGND
1027 		/*
1028 		 * If the signature is 20 bytes long, the last 16 of
1029 		 * which are zero, then this is a Microsoft client
1030 		 * wanting AD-style authentication of the server's
1031 		 * reply.
1032 		 *
1033 		 * This is described in Microsoft's WSPP docs, in MS-SNTP:
1034 		 * http://msdn.microsoft.com/en-us/library/cc212930.aspx
1035 		 */
1036 	} else if (   has_mac == MAX_MD5_LEN
1037 		   && (restrict_mask & RES_MSSNTP)
1038 		   && (retcode == AM_FXMIT || retcode == AM_NEWPASS)
1039 		   && (memcmp(zero_key, (char *)pkt + authlen + 4,
1040 			      MAX_MD5_LEN - 4) == 0)) {
1041 		is_authentic = AUTH_NONE;
1042 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s len %d org %#010x.%08x xmt %#010x.%08x SIGND\n",
1043 			    current_time, stoa(dstadr_sin),
1044 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1045 			    authlen,
1046 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1047 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1048 #endif /* HAVE_NTP_SIGND */
1049 
1050 	} else {
1051 		/*
1052 		 * has_mac is not 0
1053 		 * Not a VALID_NAK
1054 		 * Not an MS-SNTP SIGND packet
1055 		 *
1056 		 * So there is a MAC here.
1057 		 */
1058 
1059 		restrict_mask &= ~RES_MSSNTP;
1060 #ifdef AUTOKEY
1061 		/*
1062 		 * For autokey modes, generate the session key
1063 		 * and install in the key cache. Use the socket
1064 		 * broadcast or unicast address as appropriate.
1065 		 */
1066 		if (crypto_flags && skeyid > NTP_MAXKEY) {
1067 
1068 			/*
1069 			 * More on the autokey dance (AKD). A cookie is
1070 			 * constructed from public and private values.
1071 			 * For broadcast packets, the cookie is public
1072 			 * (zero). For packets that match no
1073 			 * association, the cookie is hashed from the
1074 			 * addresses and private value. For server
1075 			 * packets, the cookie was previously obtained
1076 			 * from the server. For symmetric modes, the
1077 			 * cookie was previously constructed using an
1078 			 * agreement protocol; however, should PKI be
1079 			 * unavailable, we construct a fake agreement as
1080 			 * the EXOR of the peer and host cookies.
1081 			 *
1082 			 * hismode	ephemeral	persistent
1083 			 * =======================================
1084 			 * active	0		cookie#
1085 			 * passive	0%		cookie#
1086 			 * client	sys cookie	0%
1087 			 * server	0%		sys cookie
1088 			 * broadcast	0		0
1089 			 *
1090 			 * # if unsync, 0
1091 			 * % can't happen
1092 			 */
1093 			if (has_mac < (int)MAX_MD5_LEN) {
1094 				DPRINTF(2, ("receive: drop: MD5 digest too short\n"));
1095 				sys_badauth++;
1096 				return;
1097 			}
1098 			if (hismode == MODE_BROADCAST) {
1099 
1100 				/*
1101 				 * For broadcaster, use the interface
1102 				 * broadcast address when available;
1103 				 * otherwise, use the unicast address
1104 				 * found when the association was
1105 				 * mobilized. However, if this is from
1106 				 * the wildcard interface, game over.
1107 				 */
1108 				if (   crypto_flags
1109 				    && rbufp->dstadr ==
1110 				       ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr)) {
1111 					DPRINTF(2, ("receive: drop: BCAST from wildcard\n"));
1112 					sys_restricted++;
1113 					return;		/* no wildcard */
1114 				}
1115 				pkeyid = 0;
1116 				if (!SOCK_UNSPEC(&rbufp->dstadr->bcast))
1117 					dstadr_sin =
1118 					    &rbufp->dstadr->bcast;
1119 			} else if (peer == NULL) {
1120 				pkeyid = session_key(
1121 				    &rbufp->recv_srcadr, dstadr_sin, 0,
1122 				    sys_private, 0);
1123 			} else {
1124 				pkeyid = peer->pcookie;
1125 			}
1126 
1127 			/*
1128 			 * The session key includes both the public
1129 			 * values and cookie. In case of an extension
1130 			 * field, the cookie used for authentication
1131 			 * purposes is zero. Note the hash is saved for
1132 			 * use later in the autokey mambo.
1133 			 */
1134 			if (authlen > (int)LEN_PKT_NOMAC && pkeyid != 0) {
1135 				session_key(&rbufp->recv_srcadr,
1136 				    dstadr_sin, skeyid, 0, 2);
1137 				tkeyid = session_key(
1138 				    &rbufp->recv_srcadr, dstadr_sin,
1139 				    skeyid, pkeyid, 0);
1140 			} else {
1141 				tkeyid = session_key(
1142 				    &rbufp->recv_srcadr, dstadr_sin,
1143 				    skeyid, pkeyid, 2);
1144 			}
1145 
1146 		}
1147 #endif	/* AUTOKEY */
1148 
1149 		/*
1150 		 * Compute the cryptosum. Note a clogging attack may
1151 		 * succeed in bloating the key cache. If an autokey,
1152 		 * purge it immediately, since we won't be needing it
1153 		 * again. If the packet is authentic, it can mobilize an
1154 		 * association. Note that there is no key zero.
1155 		 */
1156 		if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
1157 		    has_mac))
1158 			is_authentic = AUTH_ERROR;
1159 		else
1160 			is_authentic = AUTH_OK;
1161 #ifdef AUTOKEY
1162 		if (crypto_flags && skeyid > NTP_MAXKEY)
1163 			authtrust(skeyid, 0);
1164 #endif	/* AUTOKEY */
1165 		DPRINTF(1, ("receive: at %ld %s<-%s mode %d/%s:%s keyid %08x len %d auth %d org %#010x.%08x xmt %#010x.%08x MAC\n",
1166 			    current_time, stoa(dstadr_sin),
1167 			    stoa(&rbufp->recv_srcadr), hismode, hm_str, am_str,
1168 			    skeyid, authlen + has_mac, is_authentic,
1169 			    ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
1170 			    ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
1171 	}
1172 
1173 
1174 	/*
1175 	 * Bug 3454:
1176 	 *
1177 	 * Now come at this from a different perspective:
1178 	 * - If we expect a MAC and it's not there, we drop it.
1179 	 * - If we expect one keyID and get another, we drop it.
1180 	 * - If we have a MAC ahd it hasn't been validated yet, try.
1181 	 * - if the provided MAC doesn't validate, we drop it.
1182 	 *
1183 	 * There might be more to this.
1184 	 */
1185 	if (0 != peer && 0 != peer->keyid) {
1186 		/* Should we msyslog() any of these? */
1187 
1188 		/*
1189 		 * This should catch:
1190 		 * - no keyID where one is expected,
1191 		 * - different keyID than what we expect.
1192 		 */
1193 		if (peer->keyid != skeyid) {
1194 			DPRINTF(2, ("receive: drop: Wanted keyID %d, got %d from %s\n",
1195 				    peer->keyid, skeyid,
1196 				    stoa(&rbufp->recv_srcadr)));
1197 			sys_restricted++;
1198 			return;			/* drop: access denied */
1199 		}
1200 
1201 		/*
1202 		 * if has_mac != 0 ...
1203 		 * - If it has not yet been validated, do so.
1204 		 *   (under what circumstances might that happen?)
1205 		 * - if missing or bad MAC, log and drop.
1206 		 */
1207 		if (0 != has_mac) {
1208 			if (is_authentic == AUTH_UNKNOWN) {
1209 				/* How can this happen? */
1210 				DPRINTF(2, ("receive: 3454 check: AUTH_UNKNOWN from %s\n",
1211 				    stoa(&rbufp->recv_srcadr)));
1212 				if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
1213 				    has_mac)) {
1214 					/* MAC invalid or not found */
1215 					is_authentic = AUTH_ERROR;
1216 				} else {
1217 					is_authentic = AUTH_OK;
1218 				}
1219 			}
1220 			if (is_authentic != AUTH_OK) {
1221 				DPRINTF(2, ("receive: drop: missing or bad MAC from %s\n",
1222 					    stoa(&rbufp->recv_srcadr)));
1223 				sys_restricted++;
1224 				return;		/* drop: access denied */
1225 			}
1226 		}
1227 	}
1228 	/**/
1229 
1230 	/*
1231 	** On-Wire Protocol Layer
1232 	**
1233 	** Verify protocol operations consistent with the on-wire protocol.
1234 	** The protocol discards bogus and duplicate packets as well as
1235 	** minimizes disruptions doe to protocol restarts and dropped
1236 	** packets.  The operations are controlled by two timestamps:
1237 	** the transmit timestamp saved in the client state variables,
1238 	** and the origin timestamp in the server packet header.  The
1239 	** comparison of these two timestamps is called the loopback test.
1240 	** The transmit timestamp functions as a nonce to verify that the
1241 	** response corresponds to the original request.  The transmit
1242 	** timestamp also serves to discard replays of the most recent
1243 	** packet.  Upon failure of either test, the packet is discarded
1244 	** with no further action.
1245 	*/
1246 
1247 	/*
1248 	 * The association matching rules are implemented by a set of
1249 	 * routines and an association table. A packet matching an
1250 	 * association is processed by the peer process for that
1251 	 * association. If there are no errors, an ephemeral association
1252 	 * is mobilized: a broadcast packet mobilizes a broadcast client
1253 	 * aassociation; a manycast server packet mobilizes a manycast
1254 	 * client association; a symmetric active packet mobilizes a
1255 	 * symmetric passive association.
1256 	 */
1257 	DPRINTF(1, ("receive: MATCH_ASSOC dispatch: mode %d/%s:%s \n",
1258 		hismode, hm_str, am_str));
1259 	switch (retcode) {
1260 
1261 	/*
1262 	 * This is a client mode packet not matching any association. If
1263 	 * an ordinary client, simply toss a server mode packet back
1264 	 * over the fence. If a manycast client, we have to work a
1265 	 * little harder.
1266 	 *
1267 	 * There are cases here where we do not call record_raw_stats().
1268 	 */
1269 	case AM_FXMIT:
1270 
1271 		/*
1272 		 * If authentication OK, send a server reply; otherwise,
1273 		 * send a crypto-NAK.
1274 		 */
1275 		if (!(rbufp->dstadr->flags & INT_MCASTOPEN)) {
1276 			/* HMS: would be nice to log FAST_XMIT|BADAUTH|RESTRICTED */
1277 			record_raw_stats(&rbufp->recv_srcadr,
1278 			    &rbufp->dstadr->sin,
1279 			    &p_org, &p_rec, &p_xmt, &rbufp->recv_time,
1280 			    PKT_LEAP(pkt->li_vn_mode),
1281 			    PKT_VERSION(pkt->li_vn_mode),
1282 			    PKT_MODE(pkt->li_vn_mode),
1283 			    PKT_TO_STRATUM(pkt->stratum),
1284 			    pkt->ppoll,
1285 			    pkt->precision,
1286 			    FPTOD(NTOHS_FP(pkt->rootdelay)),
1287 			    FPTOD(NTOHS_FP(pkt->rootdisp)),
1288 			    pkt->refid,
1289 			    rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
1290 
1291 			if (AUTH(restrict_mask & RES_DONTTRUST,
1292 			   is_authentic)) {
1293 				/* Bug 3596: Do we want to fuzz the reftime? */
1294 				fast_xmit(rbufp, MODE_SERVER, skeyid,
1295 				    restrict_mask);
1296 			} else if (is_authentic == AUTH_ERROR) {
1297 				/* Bug 3596: Do we want to fuzz the reftime? */
1298 				fast_xmit(rbufp, MODE_SERVER, 0,
1299 				    restrict_mask);
1300 				sys_badauth++;
1301 			} else {
1302 				DPRINTF(2, ("receive: AM_FXMIT drop: !mcast restricted\n"));
1303 				sys_restricted++;
1304 			}
1305 
1306 			return;			/* hooray */
1307 		}
1308 
1309 		/*
1310 		 * This must be manycast. Do not respond if not
1311 		 * configured as a manycast server.
1312 		 */
1313 		if (!sys_manycastserver) {
1314 			DPRINTF(2, ("receive: AM_FXMIT drop: Not manycastserver\n"));
1315 			sys_restricted++;
1316 			return;			/* not enabled */
1317 		}
1318 
1319 #ifdef AUTOKEY
1320 		/*
1321 		 * Do not respond if not the same group.
1322 		 */
1323 		if (group_test(groupname, NULL)) {
1324 			DPRINTF(2, ("receive: AM_FXMIT drop: empty groupname\n"));
1325 			sys_declined++;
1326 			return;
1327 		}
1328 #endif /* AUTOKEY */
1329 
1330 		/*
1331 		 * Do not respond if we are not synchronized or our
1332 		 * stratum is greater than the manycaster or the
1333 		 * manycaster has already synchronized to us.
1334 		 */
1335 		if (   sys_leap == LEAP_NOTINSYNC
1336 		    || sys_stratum > hisstratum + 1
1337 		    || (!sys_cohort && sys_stratum == hisstratum + 1)
1338 		    || rbufp->dstadr->addr_refid == pkt->refid) {
1339 			DPRINTF(2, ("receive: sys leap: %0x, sys_stratum %d > hisstratum+1 %d, !sys_cohort %d && sys_stratum == hisstratum+1, loop refid %#x == pkt refid %#x\n", sys_leap, sys_stratum, hisstratum + 1, !sys_cohort, rbufp->dstadr->addr_refid, pkt->refid));
1340 			DPRINTF(2, ("receive: AM_FXMIT drop: LEAP_NOTINSYNC || stratum || loop\n"));
1341 			sys_declined++;
1342 			return;			/* no help */
1343 		}
1344 
1345 		/*
1346 		 * Respond only if authentication succeeds. Don't do a
1347 		 * crypto-NAK, as that would not be useful.
1348 		 */
1349 		if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) {
1350 			record_raw_stats(&rbufp->recv_srcadr,
1351 			    &rbufp->dstadr->sin,
1352 			    &p_org, &p_rec, &p_xmt, &rbufp->recv_time,
1353 			    PKT_LEAP(pkt->li_vn_mode),
1354 			    PKT_VERSION(pkt->li_vn_mode),
1355 			    PKT_MODE(pkt->li_vn_mode),
1356 			    PKT_TO_STRATUM(pkt->stratum),
1357 			    pkt->ppoll,
1358 			    pkt->precision,
1359 			    FPTOD(NTOHS_FP(pkt->rootdelay)),
1360 			    FPTOD(NTOHS_FP(pkt->rootdisp)),
1361 			    pkt->refid,
1362 			    rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
1363 
1364 			/* Bug 3596: Do we want to fuzz the reftime? */
1365 			fast_xmit(rbufp, MODE_SERVER, skeyid,
1366 			    restrict_mask);
1367 		}
1368 		return;				/* hooray */
1369 
1370 	/*
1371 	 * This is a server mode packet returned in response to a client
1372 	 * mode packet sent to a multicast group address (for
1373 	 * manycastclient) or to a unicast address (for pool). The
1374 	 * origin timestamp is a good nonce to reliably associate the
1375 	 * reply with what was sent. If there is no match, that's
1376 	 * curious and could be an intruder attempting to clog, so we
1377 	 * just ignore it.
1378 	 *
1379 	 * If the packet is authentic and the manycastclient or pool
1380 	 * association is found, we mobilize a client association and
1381 	 * copy pertinent variables from the manycastclient or pool
1382 	 * association to the new client association. If not, just
1383 	 * ignore the packet.
1384 	 *
1385 	 * There is an implosion hazard at the manycast client, since
1386 	 * the manycast servers send the server packet immediately. If
1387 	 * the guy is already here, don't fire up a duplicate.
1388 	 *
1389 	 * There are cases here where we do not call record_raw_stats().
1390 	 */
1391 	case AM_MANYCAST:
1392 
1393 #ifdef AUTOKEY
1394 		/*
1395 		 * Do not respond if not the same group.
1396 		 */
1397 		if (group_test(groupname, NULL)) {
1398 			DPRINTF(2, ("receive: AM_MANYCAST drop: empty groupname\n"));
1399 			sys_declined++;
1400 			return;
1401 		}
1402 #endif /* AUTOKEY */
1403 		if ((peer2 = findmanycastpeer(rbufp)) == NULL) {
1404 			DPRINTF(2, ("receive: AM_MANYCAST drop: No manycast peer\n"));
1405 			sys_restricted++;
1406 			return;			/* not enabled */
1407 		}
1408 		if (!AUTH(  (!(peer2->cast_flags & MDF_POOL)
1409 			     && sys_authenticate)
1410 			  || (restrict_mask & (RES_NOPEER |
1411 			      RES_DONTTRUST)), is_authentic)
1412 		    /* MC: RES_NOEPEER? */
1413 		   ) {
1414 			DPRINTF(2, ("receive: AM_MANYCAST drop: bad auth || (NOPEER|DONTTRUST)\n"));
1415 			sys_restricted++;
1416 			return;			/* access denied */
1417 		}
1418 
1419 		/*
1420 		 * Do not respond if unsynchronized or stratum is below
1421 		 * the floor or at or above the ceiling.
1422 		 */
1423 		if (   hisleap == LEAP_NOTINSYNC
1424 		    || hisstratum < sys_floor
1425 		    || hisstratum >= sys_ceiling) {
1426 			DPRINTF(2, ("receive: AM_MANYCAST drop: unsync/stratum\n"));
1427 			sys_declined++;
1428 			return;			/* no help */
1429 		}
1430 		peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr,
1431 			       r4a.ippeerlimit, MODE_CLIENT, hisversion,
1432 			       peer2->minpoll, peer2->maxpoll,
1433 			       (FLAG_PREEMPT | (POOL_FLAG_PMASK & peer2->flags)),
1434 			       (MDF_UCAST | MDF_UCLNT), 0, skeyid, sys_ident);
1435 		if (NULL == peer) {
1436 			DPRINTF(2, ("receive: AM_MANYCAST drop: duplicate\n"));
1437 			sys_declined++;
1438 			return;			/* ignore duplicate */
1439 		}
1440 
1441 		/*
1442 		 * After each ephemeral pool association is spun,
1443 		 * accelerate the next poll for the pool solicitor so
1444 		 * the pool will fill promptly.
1445 		 */
1446 		if (peer2->cast_flags & MDF_POOL)
1447 			peer2->nextdate = current_time + 1;
1448 
1449 		/*
1450 		 * Further processing of the solicitation response would
1451 		 * simply detect its origin timestamp as bogus for the
1452 		 * brand-new association (it matches the prototype
1453 		 * association) and tinker with peer->nextdate delaying
1454 		 * first sync.
1455 		 */
1456 		return;		/* solicitation response handled */
1457 
1458 	/*
1459 	 * This is the first packet received from a broadcast server. If
1460 	 * the packet is authentic and we are enabled as broadcast
1461 	 * client, mobilize a broadcast client association. We don't
1462 	 * kiss any frogs here.
1463 	 *
1464 	 * There are cases here where we do not call record_raw_stats().
1465 	 */
1466 	case AM_NEWBCL:
1467 
1468 #ifdef AUTOKEY
1469 		/*
1470 		 * Do not respond if not the same group.
1471 		 */
1472 		if (group_test(groupname, sys_ident)) {
1473 			DPRINTF(2, ("receive: AM_NEWBCL drop: groupname mismatch\n"));
1474 			sys_declined++;
1475 			return;
1476 		}
1477 #endif /* AUTOKEY */
1478 		if (sys_bclient == 0) {
1479 			DPRINTF(2, ("receive: AM_NEWBCL drop: not a bclient\n"));
1480 			sys_restricted++;
1481 			return;			/* not enabled */
1482 		}
1483 		if (!AUTH(sys_authenticate | (restrict_mask &
1484 			  (RES_NOPEER | RES_DONTTRUST)), is_authentic)
1485 		    /* NEWBCL: RES_NOEPEER? */
1486 		   ) {
1487 			DPRINTF(2, ("receive: AM_NEWBCL drop: AUTH failed\n"));
1488 			sys_restricted++;
1489 			return;			/* access denied */
1490 		}
1491 
1492 		/*
1493 		 * Do not respond if unsynchronized or stratum is below
1494 		 * the floor or at or above the ceiling.
1495 		 */
1496 		if (   hisleap == LEAP_NOTINSYNC
1497 		    || hisstratum < sys_floor
1498 		    || hisstratum >= sys_ceiling) {
1499 			DPRINTF(2, ("receive: AM_NEWBCL drop: Unsync or bad stratum\n"));
1500 			sys_declined++;
1501 			return;			/* no help */
1502 		}
1503 
1504 #ifdef AUTOKEY
1505 		/*
1506 		 * Do not respond if Autokey and the opcode is not a
1507 		 * CRYPTO_ASSOC response with association ID.
1508 		 */
1509 		if (   crypto_flags && skeyid > NTP_MAXKEY
1510 		    && (opcode & 0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) {
1511 			DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not CRYPTO_ASSOC\n"));
1512 			sys_declined++;
1513 			return;			/* protocol error */
1514 		}
1515 #endif	/* AUTOKEY */
1516 
1517 		/*
1518 		 * Broadcasts received via a multicast address may
1519 		 * arrive after a unicast volley has begun
1520 		 * with the same remote address.  newpeer() will not
1521 		 * find duplicate associations on other local endpoints
1522 		 * if a non-NULL endpoint is supplied.  multicastclient
1523 		 * ephemeral associations are unique across all local
1524 		 * endpoints.
1525 		 */
1526 		if (!(INT_MCASTOPEN & rbufp->dstadr->flags))
1527 			match_ep = rbufp->dstadr;
1528 		else
1529 			match_ep = NULL;
1530 
1531 		/*
1532 		 * Determine whether to execute the initial volley.
1533 		 */
1534 		if (sys_bdelay > 0.0) {
1535 #ifdef AUTOKEY
1536 			/*
1537 			 * If a two-way exchange is not possible,
1538 			 * neither is Autokey.
1539 			 */
1540 			if (crypto_flags && skeyid > NTP_MAXKEY) {
1541 				sys_restricted++;
1542 				DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not 2-way\n"));
1543 				return;		/* no autokey */
1544 			}
1545 #endif	/* AUTOKEY */
1546 
1547 			/*
1548 			 * Do not execute the volley. Start out in
1549 			 * broadcast client mode.
1550 			 */
1551 			peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep,
1552 			    r4a.ippeerlimit, MODE_BCLIENT, hisversion,
1553 			    pkt->ppoll, pkt->ppoll,
1554 			    FLAG_PREEMPT, MDF_BCLNT, 0, skeyid, sys_ident);
1555 			if (NULL == peer) {
1556 				DPRINTF(2, ("receive: AM_NEWBCL drop: duplicate\n"));
1557 				sys_restricted++;
1558 				return;		/* ignore duplicate */
1559 
1560 			} else {
1561 				peer->delay = sys_bdelay;
1562 				peer->bxmt = p_xmt;
1563 			}
1564 			break;
1565 		}
1566 
1567 		/*
1568 		 * Execute the initial volley in order to calibrate the
1569 		 * propagation delay and run the Autokey protocol.
1570 		 *
1571 		 * Note that the minpoll is taken from the broadcast
1572 		 * packet, normally 6 (64 s) and that the poll interval
1573 		 * is fixed at this value.
1574 		 */
1575 		peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep,
1576 			       r4a.ippeerlimit, MODE_CLIENT, hisversion,
1577 			       pkt->ppoll, pkt->ppoll,
1578 			       FLAG_BC_VOL | FLAG_IBURST | FLAG_PREEMPT, MDF_BCLNT,
1579 			       0, skeyid, sys_ident);
1580 		if (NULL == peer) {
1581 			DPRINTF(2, ("receive: AM_NEWBCL drop: empty newpeer() failed\n"));
1582 			sys_restricted++;
1583 			return;			/* ignore duplicate */
1584 		}
1585 		peer->bxmt = p_xmt;
1586 #ifdef AUTOKEY
1587 		if (skeyid > NTP_MAXKEY)
1588 			crypto_recv(peer, rbufp);
1589 #endif	/* AUTOKEY */
1590 
1591 		return;				/* hooray */
1592 
1593 	/*
1594 	 * This is the first packet received from a potential ephemeral
1595 	 * symmetric active peer.  First, deal with broken Windows clients.
1596 	 * Then, if NOEPEER is enabled, drop it.  If the packet meets our
1597 	 * authenticty requirements and is the first he sent, mobilize
1598 	 * a passive association.
1599 	 * Otherwise, kiss the frog.
1600 	 *
1601 	 * There are cases here where we do not call record_raw_stats().
1602 	 */
1603 	case AM_NEWPASS:
1604 
1605 		DEBUG_REQUIRE(MODE_ACTIVE == hismode);
1606 
1607 #ifdef AUTOKEY
1608 		/*
1609 		 * Do not respond if not the same group.
1610 		 */
1611 		if (group_test(groupname, sys_ident)) {
1612 			DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n"));
1613 			sys_declined++;
1614 			return;
1615 		}
1616 #endif /* AUTOKEY */
1617 		if (!AUTH(sys_authenticate | (restrict_mask &
1618 			  (RES_NOPEER | RES_DONTTRUST)), is_authentic)
1619 		   ) {
1620 			/*
1621 			 * If authenticated but cannot mobilize an
1622 			 * association, send a symmetric passive
1623 			 * response without mobilizing an association.
1624 			 * This is for drat broken Windows clients. See
1625 			 * Microsoft KB 875424 for preferred workaround.
1626 			 */
1627 			if (AUTH(restrict_mask & RES_DONTTRUST,
1628 				 is_authentic)) {
1629 				fast_xmit(rbufp, MODE_PASSIVE, skeyid,
1630 				    restrict_mask);
1631 				return;			/* hooray */
1632 			}
1633 			/* HMS: Why is this next set of lines a feature? */
1634 			if (is_authentic == AUTH_ERROR) {
1635 				fast_xmit(rbufp, MODE_PASSIVE, 0,
1636 				    restrict_mask);
1637 				sys_restricted++;
1638 				return;
1639 			}
1640 
1641 			if (restrict_mask & RES_NOEPEER) {
1642 				DPRINTF(2, ("receive: AM_NEWPASS drop: NOEPEER\n"));
1643 				sys_declined++;
1644 				return;
1645 			}
1646 
1647 			/* [Bug 2941]
1648 			 * If we got here, the packet isn't part of an
1649 			 * existing association, either isn't correctly
1650 			 * authenticated or it is but we are refusing
1651 			 * ephemeral peer requests, and it didn't meet
1652 			 * either of the previous two special cases so we
1653 			 * should just drop it on the floor.  For example,
1654 			 * crypto-NAKs (is_authentic == AUTH_CRYPTO)
1655 			 * will make it this far.  This is just
1656 			 * debug-printed and not logged to avoid log
1657 			 * flooding.
1658 			 */
1659 			DPRINTF(2, ("receive: at %ld refusing to mobilize passive association"
1660 				    " with unknown peer %s mode %d/%s:%s keyid %08x len %d auth %d\n",
1661 				    current_time, stoa(&rbufp->recv_srcadr),
1662 				    hismode, hm_str, am_str, skeyid,
1663 				    (authlen + has_mac), is_authentic));
1664 			sys_declined++;
1665 			return;
1666 		}
1667 
1668 		if (restrict_mask & RES_NOEPEER) {
1669 			DPRINTF(2, ("receive: AM_NEWPASS drop: NOEPEER\n"));
1670 			sys_declined++;
1671 			return;
1672 		}
1673 
1674 		/*
1675 		 * Do not respond if synchronized and if stratum is
1676 		 * below the floor or at or above the ceiling. Note,
1677 		 * this allows an unsynchronized peer to synchronize to
1678 		 * us. It would be very strange if he did and then was
1679 		 * nipped, but that could only happen if we were
1680 		 * operating at the top end of the range.  It also means
1681 		 * we will spin an ephemeral association in response to
1682 		 * MODE_ACTIVE KoDs, which will time out eventually.
1683 		 */
1684 		if (   hisleap != LEAP_NOTINSYNC
1685 		       && (hisstratum < sys_floor || hisstratum >= sys_ceiling)) {
1686 			DPRINTF(2, ("receive: AM_NEWPASS drop: Remote stratum (%d) out of range\n",
1687 					hisstratum));
1688 			sys_declined++;
1689 			return;			/* no help */
1690 		}
1691 
1692 		/*
1693 		 * The message is correctly authenticated and allowed.
1694 		 * Mobilize a symmetric passive association, if we won't
1695 		 * exceed the ippeerlimit.
1696 		 */
1697 		if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr,
1698 				    r4a.ippeerlimit, MODE_PASSIVE, hisversion,
1699 				    pkt->ppoll, NTP_MAXDPOLL, 0, MDF_UCAST, 0,
1700 				    skeyid, sys_ident)) == NULL) {
1701 			DPRINTF(2, ("receive: AM_NEWPASS drop: newpeer() failed\n"));
1702 			sys_declined++;
1703 			return;			/* ignore duplicate */
1704 		}
1705 		break;
1706 
1707 
1708 	/*
1709 	 * Process regular packet. Nothing special.
1710 	 *
1711 	 * There are cases here where we do not call record_raw_stats().
1712 	 */
1713 	case AM_PROCPKT:
1714 
1715 #ifdef AUTOKEY
1716 		/*
1717 		 * Do not respond if not the same group.
1718 		 */
1719 		if (group_test(groupname, peer->ident)) {
1720 			DPRINTF(2, ("receive: AM_PROCPKT drop: Autokey group mismatch\n"));
1721 			sys_declined++;
1722 			return;
1723 		}
1724 #endif /* AUTOKEY */
1725 
1726 		if (MODE_BROADCAST == hismode) {
1727 			int	bail = 0;
1728 			l_fp	tdiff;
1729 			u_long	deadband;
1730 
1731 			DPRINTF(2, ("receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\n",
1732 				    (current_time - peer->timelastrec),
1733 				    peer->ppoll, (1 << peer->ppoll)
1734 				    ));
1735 			/* Things we can check:
1736 			 *
1737 			 * Did the poll interval change?
1738 			 * Is the poll interval in the packet in-range?
1739 			 * Did this packet arrive too soon?
1740 			 * Is the timestamp in this packet monotonic
1741 			 *  with respect to the previous packet?
1742 			 */
1743 
1744 			/* This is noteworthy, not error-worthy */
1745 			if (pkt->ppoll != peer->ppoll) {
1746 				msyslog(LOG_INFO, "receive: broadcast poll from %s changed from %u to %u",
1747 					stoa(&rbufp->recv_srcadr),
1748 					peer->ppoll, pkt->ppoll);
1749 			}
1750 
1751 			/* This is error-worthy */
1752 			if (   pkt->ppoll < peer->minpoll
1753 			    || pkt->ppoll > peer->maxpoll) {
1754 				msyslog(LOG_INFO, "receive: broadcast poll of %u from %s is out-of-range (%d to %d)!",
1755 					pkt->ppoll, stoa(&rbufp->recv_srcadr),
1756 					peer->minpoll, peer->maxpoll);
1757 				++bail;
1758 			}
1759 
1760 			/* too early? worth an error, too!
1761 			 *
1762 			 * [Bug 3113] Ensure that at least one poll
1763 			 * interval has elapsed since the last **clean**
1764 			 * packet was received.  We limit the check to
1765 			 * **clean** packets to prevent replayed packets
1766 			 * and incorrectly authenticated packets, which
1767 			 * we'll discard, from being used to create a
1768 			 * denial of service condition.
1769 			 */
1770 			deadband = (1u << pkt->ppoll);
1771 			if (FLAG_BC_VOL & peer->flags)
1772 				deadband -= 3;	/* allow greater fuzz after volley */
1773 			if ((current_time - peer->timereceived) < deadband) {
1774 				msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %lu, not %lu seconds!",
1775 					stoa(&rbufp->recv_srcadr),
1776 					(current_time - peer->timereceived),
1777 					deadband);
1778 				++bail;
1779 			}
1780 
1781 			/* Alert if time from the server is non-monotonic.
1782 			 *
1783 			 * [Bug 3114] is about Broadcast mode replay DoS.
1784 			 *
1785 			 * Broadcast mode *assumes* a trusted network.
1786 			 * Even so, it's nice to be robust in the face
1787 			 * of attacks.
1788 			 *
1789 			 * If we get an authenticated broadcast packet
1790 			 * with an "earlier" timestamp, it means one of
1791 			 * two things:
1792 			 *
1793 			 * - the broadcast server had a backward step.
1794 			 *
1795 			 * - somebody is trying a replay attack.
1796 			 *
1797 			 * deadband: By default, we assume the broadcast
1798 			 * network is trustable, so we take our accepted
1799 			 * broadcast packets as we receive them.  But
1800 			 * some folks might want to take additional poll
1801 			 * delays before believing a backward step.
1802 			 */
1803 			if (sys_bcpollbstep) {
1804 				/* pkt->ppoll or peer->ppoll ? */
1805 				deadband = (1u << pkt->ppoll)
1806 					   * sys_bcpollbstep + 2;
1807 			} else {
1808 				deadband = 0;
1809 			}
1810 
1811 			if (L_ISZERO(&peer->bxmt)) {
1812 				tdiff.l_ui = tdiff.l_uf = 0;
1813 			} else {
1814 				tdiff = p_xmt;
1815 				L_SUB(&tdiff, &peer->bxmt);
1816 			}
1817 			if (   tdiff.l_i < 0
1818 			    && (current_time - peer->timereceived) < deadband)
1819 			{
1820 				msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x",
1821 					stoa(&rbufp->recv_srcadr),
1822 					peer->bxmt.l_ui, peer->bxmt.l_uf,
1823 					p_xmt.l_ui, p_xmt.l_uf
1824 					);
1825 				++bail;
1826 			}
1827 
1828 			if (bail) {
1829 				DPRINTF(2, ("receive: AM_PROCPKT drop: bail\n"));
1830 				peer->timelastrec = current_time;
1831 				sys_declined++;
1832 				return;
1833 			}
1834 		}
1835 
1836 		break;
1837 
1838 	/*
1839 	 * A passive packet matches a passive association. This is
1840 	 * usually the result of reconfiguring a client on the fly. As
1841 	 * this association might be legitimate and this packet an
1842 	 * attempt to deny service, just ignore it.
1843 	 */
1844 	case AM_ERR:
1845 		DPRINTF(2, ("receive: AM_ERR drop.\n"));
1846 		sys_declined++;
1847 		return;
1848 
1849 	/*
1850 	 * For everything else there is the bit bucket.
1851 	 */
1852 	default:
1853 		DPRINTF(2, ("receive: default drop.\n"));
1854 		sys_declined++;
1855 		return;
1856 	}
1857 
1858 #ifdef AUTOKEY
1859 	/*
1860 	 * If the association is configured for Autokey, the packet must
1861 	 * have a public key ID; if not, the packet must have a
1862 	 * symmetric key ID.
1863 	 */
1864 	if (   is_authentic != AUTH_CRYPTO
1865 	    && (   ((peer->flags & FLAG_SKEY) && skeyid <= NTP_MAXKEY)
1866 	        || (!(peer->flags & FLAG_SKEY) && skeyid > NTP_MAXKEY))) {
1867 		DPRINTF(2, ("receive: drop: Autokey but wrong/bad auth\n"));
1868 		sys_badauth++;
1869 		return;
1870 	}
1871 #endif	/* AUTOKEY */
1872 
1873 	peer->received++;
1874 	peer->flash &= ~PKT_TEST_MASK;
1875 	if (peer->flags & FLAG_XBOGUS) {
1876 		peer->flags &= ~FLAG_XBOGUS;
1877 		peer->flash |= TEST3;
1878 	}
1879 
1880 	/*
1881 	 * Next comes a rigorous schedule of timestamp checking. If the
1882 	 * transmit timestamp is zero, the server has not initialized in
1883 	 * interleaved modes or is horribly broken.
1884 	 *
1885 	 * A KoD packet we pay attention to cannot have a 0 transmit
1886 	 * timestamp.
1887 	 */
1888 
1889 	kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid);
1890 
1891 	if (L_ISZERO(&p_xmt)) {
1892 		peer->flash |= TEST3;			/* unsynch */
1893 		if (kissCode != NOKISS) {		/* KoD packet */
1894 			peer->bogusorg++;		/* for TEST2 or TEST3 */
1895 			msyslog(LOG_INFO,
1896 				"receive: Unexpected zero transmit timestamp in KoD from %s",
1897 				ntoa(&peer->srcadr));
1898 			return;
1899 		}
1900 
1901 	/*
1902 	 * If the transmit timestamp duplicates our previous one, the
1903 	 * packet is a replay. This prevents the bad guys from replaying
1904 	 * the most recent packet, authenticated or not.
1905 	 */
1906 	} else if (   ((FLAG_LOOPNONCE & peer->flags) && L_ISEQU(&peer->nonce, &p_xmt))
1907 		   || (!(FLAG_LOOPNONCE & peer->flags) && L_ISEQU(&peer->xmt, &p_xmt))
1908 	) {
1909 		DPRINTF(2, ("receive: drop: Duplicate xmit\n"));
1910 		peer->flash |= TEST1;			/* duplicate */
1911 		peer->oldpkt++;
1912 		return;
1913 
1914 	/*
1915 	 * If this is a broadcast mode packet, make sure hisstratum
1916 	 * is appropriate.  Don't do anything else here - we wait to
1917 	 * see if this is an interleave broadcast packet until after
1918 	 * we've validated the MAC that SHOULD be provided.
1919 	 *
1920 	 * hisstratum cannot be 0 - see assertion above.
1921 	 * If hisstratum is 15, then we'll advertise as UNSPEC but
1922 	 * at least we'll be able to sync with the broadcast server.
1923 	 */
1924 	} else if (hismode == MODE_BROADCAST) {
1925 		/* 0 is unexpected too, and impossible */
1926 		if (STRATUM_UNSPEC <= hisstratum) {
1927 			/* Is this a ++sys_declined or ??? */
1928 			msyslog(LOG_INFO,
1929 				"receive: Unexpected stratum (%d) in broadcast from %s",
1930 				hisstratum, ntoa(&peer->srcadr));
1931 			return;
1932 		}
1933 
1934 	/*
1935 	 * Basic KoD validation checking:
1936 	 *
1937 	 * KoD packets are a mixed-blessing.  Forged KoD packets
1938 	 * are DoS attacks.  There are rare situations where we might
1939 	 * get a valid KoD response, though.  Since KoD packets are
1940 	 * a special case that complicate the checks we do next, we
1941 	 * handle the basic KoD checks here.
1942 	 *
1943 	 * Note that we expect the incoming KoD packet to have its
1944 	 * (nonzero) org, rec, and xmt timestamps set to the xmt timestamp
1945 	 * that we have previously sent out.  Watch interleave mode.
1946 	 */
1947 	} else if (kissCode != NOKISS) {
1948 		DEBUG_INSIST(!L_ISZERO(&p_xmt));
1949 		if (   L_ISZERO(&p_org)		/* We checked p_xmt above */
1950 		    || L_ISZERO(&p_rec)) {
1951 			peer->bogusorg++;
1952 			msyslog(LOG_INFO,
1953 				"receive: KoD packet from %s has a zero org or rec timestamp.  Ignoring.",
1954 				ntoa(&peer->srcadr));
1955 			return;
1956 		}
1957 
1958 		if (   !L_ISEQU(&p_xmt, &p_org)
1959 		    || !L_ISEQU(&p_xmt, &p_rec)) {
1960 			peer->bogusorg++;
1961 			msyslog(LOG_INFO,
1962 				"receive: KoD packet from %s has inconsistent xmt/org/rec timestamps.  Ignoring.",
1963 				ntoa(&peer->srcadr));
1964 			return;
1965 		}
1966 
1967 		/* Be conservative */
1968 		if (peer->flip == 0 && !L_ISEQU(&p_org, &peer->aorg)) {
1969 			peer->bogusorg++;
1970 			msyslog(LOG_INFO,
1971 				"receive: flip 0 KoD origin timestamp %#010x.%08x from %s does not match %#010x.%08x - ignoring.",
1972 				p_org.l_ui, p_org.l_uf,
1973 				ntoa(&peer->srcadr),
1974 				peer->aorg.l_ui, peer->aorg.l_uf);
1975 			return;
1976 		} else if (peer->flip == 1 && !L_ISEQU(&p_org, &peer->borg)) {
1977 			peer->bogusorg++;
1978 			msyslog(LOG_INFO,
1979 				"receive: flip 1 KoD origin timestamp %#010x.%08x from %s does not match interleave %#010x.%08x - ignoring.",
1980 				p_org.l_ui, p_org.l_uf,
1981 				ntoa(&peer->srcadr),
1982 				peer->borg.l_ui, peer->borg.l_uf);
1983 			return;
1984 		}
1985 
1986 	/*
1987 	 * Basic mode checks:
1988 	 *
1989 	 * If there is no origin timestamp, it's either an initial packet
1990 	 * or we've already received a response to our query.  Of course,
1991 	 * should 'aorg' be all-zero because this really was the original
1992 	 * transmit timestamp, we'll ignore this reply.  There is a window
1993 	 * of one nanosecond once every 136 years' time where this is
1994 	 * possible.  We currently ignore this situation, as a completely
1995 	 * zero timestamp is (quietly?) disallowed.
1996 	 *
1997 	 * Otherwise, check for bogus packet in basic mode.
1998 	 * If it is bogus, switch to interleaved mode and resynchronize,
1999 	 * but only after confirming the packet is not bogus in
2000 	 * symmetric interleaved mode.
2001 	 *
2002 	 * This could also mean somebody is forging packets claiming to
2003 	 * be from us, attempting to cause our server to KoD us.
2004 	 *
2005 	 * We have earlier asserted that hisstratum cannot be 0.
2006 	 * If hisstratum is STRATUM_UNSPEC, it means he's not sync'd.
2007 	 */
2008 
2009 	/* XXX: FLAG_LOOPNONCE */
2010 	DEBUG_INSIST(0 == (FLAG_LOOPNONCE & peer->flags));
2011 
2012 	} else if (peer->flip == 0) {
2013 		if (0) {
2014 		} else if (L_ISZERO(&p_org)) {
2015 			const char *action;
2016 
2017 #ifdef BUG3361
2018 			msyslog(LOG_INFO,
2019 				"receive: BUG 3361: Clearing peer->aorg ");
2020 			L_CLR(&peer->aorg);
2021 			/* Clear peer->nonce, too? */
2022 #endif
2023 			/**/
2024 			switch (hismode) {
2025 			/* We allow 0org for: */
2026 			    case UCHAR_MAX:
2027 				action = "Allow";
2028 				break;
2029 			/* We disallow 0org for: */
2030 			    case MODE_UNSPEC:
2031 			    case MODE_ACTIVE:
2032 			    case MODE_PASSIVE:
2033 			    case MODE_CLIENT:
2034 			    case MODE_SERVER:
2035 			    case MODE_BROADCAST:
2036 				action = "Drop";
2037 				peer->bogusorg++;
2038 				peer->flash |= TEST2;	/* bogus */
2039 				break;
2040 			    default:
2041 				action = "";	/* for cranky compilers / MSVC */
2042 				INSIST(!"receive(): impossible hismode");
2043 				break;
2044 			}
2045 			/**/
2046 			msyslog(LOG_INFO,
2047 				"receive: %s 0 origin timestamp from %s@%s xmt %#010x.%08x",
2048 				action, hm_str, ntoa(&peer->srcadr),
2049 				ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf));
2050 		} else if (!L_ISEQU(&p_org, &peer->aorg)) {
2051 			/* are there cases here where we should bail? */
2052 			/* Should we set TEST2 if we decide to try xleave? */
2053 			peer->bogusorg++;
2054 			peer->flash |= TEST2;	/* bogus */
2055 			msyslog(LOG_INFO,
2056 				"receive: Unexpected origin timestamp %#010x.%08x does not match aorg %#010x.%08x from %s@%s xmt %#010x.%08x",
2057 				ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
2058 				peer->aorg.l_ui, peer->aorg.l_uf,
2059 				hm_str, ntoa(&peer->srcadr),
2060 				ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf));
2061 			if (  !L_ISZERO(&peer->dst)
2062 			    && L_ISEQU(&p_org, &peer->dst)) {
2063 				/* Might be the start of an interleave */
2064 				if (dynamic_interleave) {
2065 					peer->flip = 1;
2066 					report_event(PEVNT_XLEAVE, peer, NULL);
2067 				} else {
2068 					msyslog(LOG_INFO,
2069 						"receive: Dynamic interleave from %s@%s denied",
2070 						hm_str, ntoa(&peer->srcadr));
2071 				}
2072 			}
2073 		} else {
2074 			L_CLR(&peer->aorg);
2075 			/* XXX: FLAG_LOOPNONCE */
2076 		}
2077 
2078 	/*
2079 	 * Check for valid nonzero timestamp fields.
2080 	 */
2081 	} else if (   L_ISZERO(&p_org)
2082 		   || L_ISZERO(&p_rec)
2083 		   || L_ISZERO(&peer->dst)) {
2084 		peer->flash |= TEST3;		/* unsynch */
2085 
2086 	/*
2087 	 * Check for bogus packet in interleaved symmetric mode. This
2088 	 * can happen if a packet is lost, duplicated or crossed. If
2089 	 * found, flip and resynchronize.
2090 	 */
2091 	} else if (   !L_ISZERO(&peer->dst)
2092 		   && !L_ISEQU(&p_org, &peer->dst)) {
2093 		DPRINTF(2, ("receive: drop: Bogus packet in interleaved symmetric mode\n"));
2094 		peer->bogusorg++;
2095 		peer->flags |= FLAG_XBOGUS;
2096 		peer->flash |= TEST2;		/* bogus */
2097 #ifdef BUG3453
2098 		return; /* Bogus packet, we are done */
2099 #endif
2100 	}
2101 
2102 	/**/
2103 
2104 	/*
2105 	 * If this is a crypto_NAK, the server cannot authenticate a
2106 	 * client packet. The server might have just changed keys. Clear
2107 	 * the association and restart the protocol.
2108 	 */
2109 	if (crypto_nak_test == VALIDNAK) {
2110 		report_event(PEVNT_AUTH, peer, "crypto_NAK");
2111 		peer->flash |= TEST5;		/* bad auth */
2112 		peer->badauth++;
2113 		if (peer->flags & FLAG_PREEMPT) {
2114 			if (unpeer_crypto_nak_early) {
2115 				unpeer(peer);
2116 			}
2117 			DPRINTF(2, ("receive: drop: PREEMPT crypto_NAK\n"));
2118 			return;
2119 		}
2120 #ifdef AUTOKEY
2121 		if (peer->crypto) {
2122 			peer_clear(peer, "AUTH");
2123 		}
2124 #endif	/* AUTOKEY */
2125 		DPRINTF(2, ("receive: drop: crypto_NAK\n"));
2126 		return;
2127 
2128 	/*
2129 	 * If the digest fails or it's missing for authenticated
2130 	 * associations, the client cannot authenticate a server
2131 	 * reply to a client packet previously sent. The loopback check
2132 	 * is designed to avoid a bait-and-switch attack, which was
2133 	 * possible in past versions. If symmetric modes, return a
2134 	 * crypto-NAK. The peer should restart the protocol.
2135 	 */
2136 	} else if (!AUTH(peer->keyid || has_mac ||
2137 			 (restrict_mask & RES_DONTTRUST), is_authentic)) {
2138 
2139 		if (peer->flash & PKT_TEST_MASK) {
2140 			msyslog(LOG_INFO,
2141 				"receive: Bad auth in packet with bad timestamps from %s denied - spoof?",
2142 				ntoa(&peer->srcadr));
2143 			return;
2144 		}
2145 
2146 		report_event(PEVNT_AUTH, peer, "digest");
2147 		peer->flash |= TEST5;		/* bad auth */
2148 		peer->badauth++;
2149 		if (   has_mac
2150 		    && (   hismode == MODE_ACTIVE
2151 			|| hismode == MODE_PASSIVE))
2152 			fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
2153 		if (peer->flags & FLAG_PREEMPT) {
2154 			if (unpeer_digest_early) {
2155 				unpeer(peer);
2156 			}
2157 		}
2158 #ifdef AUTOKEY
2159 		else if (peer_clear_digest_early && peer->crypto) {
2160 			peer_clear(peer, "AUTH");
2161 		}
2162 #endif	/* AUTOKEY */
2163 		DPRINTF(2, ("receive: drop: Bad or missing AUTH\n"));
2164 		return;
2165 	}
2166 
2167 	/*
2168 	 * For broadcast packets:
2169 	 *
2170 	 * HMS: This next line never made much sense to me, even
2171 	 * when it was up higher:
2172 	 *   If an initial volley, bail out now and let the
2173 	 *   client do its stuff.
2174 	 *
2175 	 * If the packet has not failed authentication, then
2176 	 * - if the origin timestamp is nonzero this is an
2177 	 *   interleaved broadcast, so restart the protocol.
2178 	 * - else, this is not an interleaved broadcast packet.
2179 	 */
2180 	if (hismode == MODE_BROADCAST) {
2181 		if (   is_authentic == AUTH_OK
2182 		    || is_authentic == AUTH_NONE) {
2183 			if (!L_ISZERO(&p_org)) {
2184 				if (!(peer->flags & FLAG_XB)) {
2185 					msyslog(LOG_INFO,
2186 						"receive: Broadcast server at %s is in interleave mode",
2187 						ntoa(&peer->srcadr));
2188 					peer->flags |= FLAG_XB;
2189 					peer->aorg = p_xmt;
2190 					peer->borg = rbufp->recv_time;
2191 					report_event(PEVNT_XLEAVE, peer, NULL);
2192 					return;
2193 				}
2194 			} else if (peer->flags & FLAG_XB) {
2195 				msyslog(LOG_INFO,
2196 					"receive: Broadcast server at %s is no longer in interleave mode",
2197 					ntoa(&peer->srcadr));
2198 				peer->flags &= ~FLAG_XB;
2199 			}
2200 		} else {
2201 			msyslog(LOG_INFO,
2202 				"receive: Bad broadcast auth (%d) from %s",
2203 				is_authentic, ntoa(&peer->srcadr));
2204 		}
2205 
2206 		/*
2207 		 * Now that we know the packet is correctly authenticated,
2208 		 * update peer->bxmt.
2209 		 */
2210 		peer->bxmt = p_xmt;
2211 	}
2212 
2213 
2214 	/*
2215 	** Update the state variables.
2216 	*/
2217 	if (peer->flip == 0) {
2218 		if (hismode != MODE_BROADCAST)
2219 			peer->rec = p_xmt;
2220 		peer->dst = rbufp->recv_time;
2221 	}
2222 	peer->xmt = p_xmt;
2223 
2224 	/*
2225 	 * Set the peer ppoll to the maximum of the packet ppoll and the
2226 	 * peer minpoll. If a kiss-o'-death, set the peer minpoll to
2227 	 * this maximum and advance the headway to give the sender some
2228 	 * headroom. Very intricate.
2229 	 */
2230 
2231 	/*
2232 	 * Check for any kiss codes. Note this is only used when a server
2233 	 * responds to a packet request.
2234 	 */
2235 
2236 	/*
2237 	 * Check to see if this is a RATE Kiss Code
2238 	 * Currently this kiss code will accept whatever poll
2239 	 * rate that the server sends
2240 	 */
2241 	peer->ppoll = max(peer->minpoll, pkt->ppoll);
2242 	if (kissCode == RATEKISS) {
2243 		peer->selbroken++;	/* Increment the KoD count */
2244 		report_event(PEVNT_RATE, peer, NULL);
2245 		if (pkt->ppoll > peer->minpoll)
2246 			peer->minpoll = peer->ppoll;
2247 		peer->burst = peer->retry = 0;
2248 		peer->throttle = (NTP_SHIFT + 1) * (1 << peer->minpoll);
2249 		poll_update(peer, pkt->ppoll, 0);
2250 		return;				/* kiss-o'-death */
2251 	}
2252 	if (kissCode != NOKISS) {
2253 		peer->selbroken++;	/* Increment the KoD count */
2254 		return;		/* Drop any other kiss code packets */
2255 	}
2256 
2257 
2258 	/*
2259 	 * XXX
2260 	 */
2261 
2262 
2263 	/*
2264 	 * If:
2265 	 *	- this is a *cast (uni-, broad-, or m-) server packet
2266 	 *	- and it's symmetric-key authenticated
2267 	 * then see if the sender's IP is trusted for this keyid.
2268 	 * If it is, great - nothing special to do here.
2269 	 * Otherwise, we should report and bail.
2270 	 *
2271 	 * Autokey-authenticated packets are accepted.
2272 	 */
2273 
2274 	switch (hismode) {
2275 	    case MODE_SERVER:		/* server mode */
2276 	    case MODE_BROADCAST:	/* broadcast mode */
2277 	    case MODE_ACTIVE:		/* symmetric active mode */
2278 	    case MODE_PASSIVE:		/* symmetric passive mode */
2279 		if (   is_authentic == AUTH_OK
2280 		    && skeyid
2281 		    && skeyid <= NTP_MAXKEY
2282 		    && !authistrustedip(skeyid, &peer->srcadr)) {
2283 			report_event(PEVNT_AUTH, peer, "authIP");
2284 			peer->badauth++;
2285 			return;
2286 		}
2287 		break;
2288 
2289 	    case MODE_CLIENT:		/* client mode */
2290 #if 0		/* At this point, MODE_CONTROL is overloaded by MODE_BCLIENT */
2291 	    case MODE_CONTROL:		/* control mode */
2292 #endif
2293 	    case MODE_PRIVATE:		/* private mode */
2294 	    case MODE_BCLIENT:		/* broadcast client mode */
2295 		break;
2296 
2297 	    case MODE_UNSPEC:		/* unspecified (old version) */
2298 	    default:
2299 		msyslog(LOG_INFO,
2300 			"receive: Unexpected mode (%d) in packet from %s",
2301 			hismode, ntoa(&peer->srcadr));
2302 		break;
2303 	}
2304 
2305 
2306 	/*
2307 	 * That was hard and I am sweaty, but the packet is squeaky
2308 	 * clean. Get on with real work.
2309 	 */
2310 	peer->timereceived = current_time;
2311 	peer->timelastrec = current_time;
2312 	if (is_authentic == AUTH_OK)
2313 		peer->flags |= FLAG_AUTHENTIC;
2314 	else
2315 		peer->flags &= ~FLAG_AUTHENTIC;
2316 
2317 #ifdef AUTOKEY
2318 	/*
2319 	 * More autokey dance. The rules of the cha-cha are as follows:
2320 	 *
2321 	 * 1. If there is no key or the key is not auto, do nothing.
2322 	 *
2323 	 * 2. If this packet is in response to the one just previously
2324 	 *    sent or from a broadcast server, do the extension fields.
2325 	 *    Otherwise, assume bogosity and bail out.
2326 	 *
2327 	 * 3. If an extension field contains a verified signature, it is
2328 	 *    self-authenticated and we sit the dance.
2329 	 *
2330 	 * 4. If this is a server reply, check only to see that the
2331 	 *    transmitted key ID matches the received key ID.
2332 	 *
2333 	 * 5. Check to see that one or more hashes of the current key ID
2334 	 *    matches the previous key ID or ultimate original key ID
2335 	 *    obtained from the broadcaster or symmetric peer. If no
2336 	 *    match, sit the dance and call for new autokey values.
2337 	 *
2338 	 * In case of crypto error, fire the orchestra, stop dancing and
2339 	 * restart the protocol.
2340 	 */
2341 	if (peer->flags & FLAG_SKEY) {
2342 		/*
2343 		 * Decrement remaining autokey hashes. This isn't
2344 		 * perfect if a packet is lost, but results in no harm.
2345 		 */
2346 		ap = (struct autokey *)peer->recval.ptr;
2347 		if (ap != NULL) {
2348 			if (ap->seq > 0)
2349 				ap->seq--;
2350 		}
2351 		peer->flash |= TEST8;
2352 		rval = crypto_recv(peer, rbufp);
2353 		if (rval == XEVNT_OK) {
2354 			peer->unreach = 0;
2355 		} else {
2356 			if (rval == XEVNT_ERR) {
2357 				report_event(PEVNT_RESTART, peer,
2358 				    "crypto error");
2359 				peer_clear(peer, "CRYP");
2360 				peer->flash |= TEST9;	/* bad crypt */
2361 				if (peer->flags & FLAG_PREEMPT) {
2362 					if (unpeer_crypto_early) {
2363 						unpeer(peer);
2364 					}
2365 				}
2366 			}
2367 			return;
2368 		}
2369 
2370 		/*
2371 		 * If server mode, verify the receive key ID matches
2372 		 * the transmit key ID.
2373 		 */
2374 		if (hismode == MODE_SERVER) {
2375 			if (skeyid == peer->keyid)
2376 				peer->flash &= ~TEST8;
2377 
2378 		/*
2379 		 * If an extension field is present, verify only that it
2380 		 * has been correctly signed. We don't need a sequence
2381 		 * check here, but the sequence continues.
2382 		 */
2383 		} else if (!(peer->flash & TEST8)) {
2384 			peer->pkeyid = skeyid;
2385 
2386 		/*
2387 		 * Now the fun part. Here, skeyid is the current ID in
2388 		 * the packet, pkeyid is the ID in the last packet and
2389 		 * tkeyid is the hash of skeyid. If the autokey values
2390 		 * have not been received, this is an automatic error.
2391 		 * If so, check that the tkeyid matches pkeyid. If not,
2392 		 * hash tkeyid and try again. If the number of hashes
2393 		 * exceeds the number remaining in the sequence, declare
2394 		 * a successful failure and refresh the autokey values.
2395 		 */
2396 		} else if (ap != NULL) {
2397 			int i;
2398 
2399 			for (i = 0; ; i++) {
2400 				if (   tkeyid == peer->pkeyid
2401 				    || tkeyid == ap->key) {
2402 					peer->flash &= ~TEST8;
2403 					peer->pkeyid = skeyid;
2404 					ap->seq -= i;
2405 					break;
2406 				}
2407 				if (i > ap->seq) {
2408 					peer->crypto &=
2409 					    ~CRYPTO_FLAG_AUTO;
2410 					break;
2411 				}
2412 				tkeyid = session_key(
2413 				    &rbufp->recv_srcadr, dstadr_sin,
2414 				    tkeyid, pkeyid, 0);
2415 			}
2416 			if (peer->flash & TEST8)
2417 				report_event(PEVNT_AUTH, peer, "keylist");
2418 		}
2419 		if (!(peer->crypto & CRYPTO_FLAG_PROV)) /* test 9 */
2420 			peer->flash |= TEST8;	/* bad autokey */
2421 
2422 		/*
2423 		 * The maximum lifetime of the protocol is about one
2424 		 * week before restarting the Autokey protocol to
2425 		 * refresh certificates and leapseconds values.
2426 		 */
2427 		if (current_time > peer->refresh) {
2428 			report_event(PEVNT_RESTART, peer,
2429 			    "crypto refresh");
2430 			peer_clear(peer, "TIME");
2431 			return;
2432 		}
2433 	}
2434 #endif	/* AUTOKEY */
2435 
2436 	/*
2437 	 * The dance is complete and the flash bits have been lit. Toss
2438 	 * the packet over the fence for processing, which may light up
2439 	 * more flashers. Leave if the packet is not good.
2440 	 */
2441 	process_packet(peer, pkt, rbufp->recv_length);
2442 	if (peer->flash & PKT_TEST_MASK)
2443 		return;
2444 
2445 	/* [bug 3592] Update poll. Ideally this should not happen in a
2446 	 * receive branch, but too much is going on here... at least we
2447 	 * do it only if the packet was good!
2448 	 */
2449 	poll_update(peer, peer->hpoll, (peer->hmode == MODE_CLIENT));
2450 
2451 	/*
2452 	 * In interleaved mode update the state variables. Also adjust the
2453 	 * transmit phase to avoid crossover.
2454 	 */
2455 	if (peer->flip != 0) {
2456 		peer->rec = p_rec;
2457 		peer->dst = rbufp->recv_time;
2458 		if (peer->nextdate - current_time < (1U << min(peer->ppoll,
2459 		    peer->hpoll)) / 2)
2460 			peer->nextdate++;
2461 		else
2462 			peer->nextdate--;
2463 	}
2464 }
2465 
2466 
2467 /*
2468  * process_packet - Packet Procedure, a la Section 3.4.4 of RFC-1305
2469  *	Or almost, at least.  If we're in here we have a reasonable
2470  *	expectation that we will be having a long term
2471  *	relationship with this host.
2472  */
2473 void
2474 process_packet(
2475 	register struct peer *peer,
2476 	register struct pkt *pkt,
2477 	u_int	len
2478 	)
2479 {
2480 	double	t34, t21;
2481 	double	p_offset, p_del, p_disp;
2482 	l_fp	p_rec, p_xmt, p_org, p_reftime, ci;
2483 	u_char	pmode, pleap, pversion, pstratum;
2484 	char	statstr[NTP_MAXSTRLEN];
2485 #ifdef ASSYM
2486 	int	itemp;
2487 	double	etemp, ftemp, td;
2488 #endif /* ASSYM */
2489 
2490 	p_del = FPTOD(NTOHS_FP(pkt->rootdelay));
2491 	p_offset = 0;
2492 	p_disp = FPTOD(NTOHS_FP(pkt->rootdisp));
2493 	NTOHL_FP(&pkt->reftime, &p_reftime);
2494 	NTOHL_FP(&pkt->org, &p_org);
2495 	NTOHL_FP(&pkt->rec, &p_rec);
2496 	NTOHL_FP(&pkt->xmt, &p_xmt);
2497 	pmode = PKT_MODE(pkt->li_vn_mode);
2498 	pleap = PKT_LEAP(pkt->li_vn_mode);
2499 	pversion = PKT_VERSION(pkt->li_vn_mode);
2500 	pstratum = PKT_TO_STRATUM(pkt->stratum);
2501 
2502 	/*
2503 	 * Verify the server is synchronized; that is, the leap bits,
2504 	 * stratum and root distance are valid.
2505 	 */
2506 	if (   pleap == LEAP_NOTINSYNC		/* test 6 */
2507 	    || pstratum < sys_floor || pstratum >= sys_ceiling)
2508 		peer->flash |= TEST6;		/* bad synch or strat */
2509 	if (p_del / 2 + p_disp >= MAXDISPERSE)	/* test 7 */
2510 		peer->flash |= TEST7;		/* bad header */
2511 
2512 	/*
2513 	 * If any tests fail at this point, the packet is discarded.
2514 	 * Note that some flashers may have already been set in the
2515 	 * receive() routine.
2516 	 */
2517 	if (peer->flash & PKT_TEST_MASK) {
2518 		peer->seldisptoolarge++;
2519 		DPRINTF(1, ("packet: flash header %04x\n",
2520 			    peer->flash));
2521 		/* [Bug 3592] do *not* update poll on bad packets! */
2522 		return;
2523 	}
2524 
2525 	/*
2526 	 * update stats, now that we really handle this packet:
2527 	 */
2528 	sys_processed++;
2529 	peer->processed++;
2530 
2531 	/*
2532 	 * Capture the header values in the client/peer association..
2533 	 */
2534 	record_raw_stats(&peer->srcadr,
2535 	    peer->dstadr ? &peer->dstadr->sin : NULL,
2536 	    &p_org, &p_rec, &p_xmt, &peer->dst,
2537 	    pleap, pversion, pmode, pstratum, pkt->ppoll, pkt->precision,
2538 	    p_del, p_disp, pkt->refid,
2539 	    len - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
2540 	peer->leap = pleap;
2541 	peer->stratum = min(pstratum, STRATUM_UNSPEC);
2542 	peer->pmode = pmode;
2543 	peer->precision = pkt->precision;
2544 	peer->rootdelay = p_del;
2545 	peer->rootdisp = p_disp;
2546 	peer->refid = pkt->refid;		/* network byte order */
2547 	peer->reftime = p_reftime;
2548 
2549 	/*
2550 	 * First, if either burst mode is armed, enable the burst.
2551 	 * Compute the headway for the next packet and delay if
2552 	 * necessary to avoid exceeding the threshold.
2553 	 */
2554 	if (peer->retry > 0) {
2555 		peer->retry = 0;
2556 		if (peer->reach)
2557 			peer->burst = min(1 << (peer->hpoll -
2558 			    peer->minpoll), NTP_SHIFT) - 1;
2559 		else
2560 			peer->burst = NTP_IBURST - 1;
2561 		if (peer->burst > 0)
2562 			peer->nextdate = current_time;
2563 	}
2564 
2565 	/*
2566 	 * If the peer was previously unreachable, raise a trap. In any
2567 	 * case, mark it reachable.
2568 	 */
2569 	if (!peer->reach) {
2570 		report_event(PEVNT_REACH, peer, NULL);
2571 		peer->timereachable = current_time;
2572 	}
2573 	peer->reach |= 1;
2574 
2575 	/*
2576 	 * For a client/server association, calculate the clock offset,
2577 	 * roundtrip delay and dispersion. The equations are reordered
2578 	 * from the spec for more efficient use of temporaries. For a
2579 	 * broadcast association, offset the last measurement by the
2580 	 * computed delay during the client/server volley. Note the
2581 	 * computation of dispersion includes the system precision plus
2582 	 * that due to the frequency error since the origin time.
2583 	 *
2584 	 * It is very important to respect the hazards of overflow. The
2585 	 * only permitted operation on raw timestamps is subtraction,
2586 	 * where the result is a signed quantity spanning from 68 years
2587 	 * in the past to 68 years in the future. To avoid loss of
2588 	 * precision, these calculations are done using 64-bit integer
2589 	 * arithmetic. However, the offset and delay calculations are
2590 	 * sums and differences of these first-order differences, which
2591 	 * if done using 64-bit integer arithmetic, would be valid over
2592 	 * only half that span. Since the typical first-order
2593 	 * differences are usually very small, they are converted to 64-
2594 	 * bit doubles and all remaining calculations done in floating-
2595 	 * double arithmetic. This preserves the accuracy while
2596 	 * retaining the 68-year span.
2597 	 *
2598 	 * There are three interleaving schemes, basic, interleaved
2599 	 * symmetric and interleaved broadcast. The timestamps are
2600 	 * idioscyncratically different. See the onwire briefing/white
2601 	 * paper at www.eecis.udel.edu/~mills for details.
2602 	 *
2603 	 * Interleaved symmetric mode
2604 	 * t1 = peer->aorg/borg, t2 = peer->rec, t3 = p_xmt,
2605 	 * t4 = peer->dst
2606 	 */
2607 	if (peer->flip != 0) {
2608 		ci = p_xmt;				/* t3 - t4 */
2609 		L_SUB(&ci, &peer->dst);
2610 		LFPTOD(&ci, t34);
2611 		ci = p_rec;				/* t2 - t1 */
2612 		if (peer->flip > 0)
2613 			L_SUB(&ci, &peer->borg);
2614 		else
2615 			L_SUB(&ci, &peer->aorg);
2616 		LFPTOD(&ci, t21);
2617 		p_del = t21 - t34;
2618 		p_offset = (t21 + t34) / 2.;
2619 		if (p_del < 0 || p_del > 1.) {
2620 			snprintf(statstr, sizeof(statstr),
2621 			    "t21 %.6f t34 %.6f", t21, t34);
2622 			report_event(PEVNT_XERR, peer, statstr);
2623 			return;
2624 		}
2625 
2626 	/*
2627 	 * Broadcast modes
2628 	 */
2629 	} else if (peer->pmode == MODE_BROADCAST) {
2630 
2631 		/*
2632 		 * Interleaved broadcast mode. Use interleaved timestamps.
2633 		 * t1 = peer->borg, t2 = p_org, t3 = p_org, t4 = aorg
2634 		 */
2635 		if (peer->flags & FLAG_XB) {
2636 			ci = p_org;			/* delay */
2637 			L_SUB(&ci, &peer->aorg);
2638 			LFPTOD(&ci, t34);
2639 			ci = p_org;			/* t2 - t1 */
2640 			L_SUB(&ci, &peer->borg);
2641 			LFPTOD(&ci, t21);
2642 			peer->aorg = p_xmt;
2643 			peer->borg = peer->dst;
2644 			if (t34 < 0 || t34 > 1.) {
2645 				/* drop all if in the initial volley */
2646 				if (FLAG_BC_VOL & peer->flags)
2647 					goto bcc_init_volley_fail;
2648 				snprintf(statstr, sizeof(statstr),
2649 				    "offset %.6f delay %.6f", t21, t34);
2650 				report_event(PEVNT_XERR, peer, statstr);
2651 				return;
2652 			}
2653 			p_offset = t21;
2654 			peer->xleave = t34;
2655 
2656 		/*
2657 		 * Basic broadcast - use direct timestamps.
2658 		 * t3 = p_xmt, t4 = peer->dst
2659 		 */
2660 		} else {
2661 			ci = p_xmt;		/* t3 - t4 */
2662 			L_SUB(&ci, &peer->dst);
2663 			LFPTOD(&ci, t34);
2664 			p_offset = t34;
2665 		}
2666 
2667 		/*
2668 		 * When calibration is complete and the clock is
2669 		 * synchronized, the bias is calculated as the difference
2670 		 * between the unicast timestamp and the broadcast
2671 		 * timestamp. This works for both basic and interleaved
2672 		 * modes.
2673 		 * [Bug 3031] Don't keep this peer when the delay
2674 		 * calculation gives reason to suspect clock steps.
2675 		 * This is assumed for delays > 50ms.
2676 		 */
2677 		if (FLAG_BC_VOL & peer->flags) {
2678 			peer->flags &= ~FLAG_BC_VOL;
2679 			peer->delay = fabs(peer->offset - p_offset) * 2;
2680 			DPRINTF(2, ("broadcast volley: initial delay=%.6f\n",
2681 				peer->delay));
2682 			if (peer->delay > fabs(sys_bdelay)) {
2683 		bcc_init_volley_fail:
2684 				DPRINTF(2, ("%s", "broadcast volley: initial delay exceeds limit\n"));
2685 				unpeer(peer);
2686 				return;
2687 			}
2688 		}
2689 		peer->nextdate = current_time + (1u << peer->ppoll) - 2u;
2690 		p_del = peer->delay;
2691 		p_offset += p_del / 2;
2692 
2693 
2694 	/*
2695 	 * Basic mode, otherwise known as the old fashioned way.
2696 	 *
2697 	 * t1 = p_org, t2 = p_rec, t3 = p_xmt, t4 = peer->dst
2698 	 */
2699 	} else {
2700 		ci = p_xmt;				/* t3 - t4 */
2701 		L_SUB(&ci, &peer->dst);
2702 		LFPTOD(&ci, t34);
2703 		ci = p_rec;				/* t2 - t1 */
2704 		L_SUB(&ci, &p_org);
2705 		LFPTOD(&ci, t21);
2706 		p_del = fabs(t21 - t34);
2707 		p_offset = (t21 + t34) / 2.;
2708 	}
2709 	p_del = max(p_del, LOGTOD(sys_precision));
2710 	p_disp = LOGTOD(sys_precision) + LOGTOD(peer->precision) +
2711 	    clock_phi * p_del;
2712 
2713 #if ASSYM
2714 	/*
2715 	 * This code calculates the outbound and inbound data rates by
2716 	 * measuring the differences between timestamps at different
2717 	 * packet lengths. This is helpful in cases of large asymmetric
2718 	 * delays commonly experienced on deep space communication
2719 	 * links.
2720 	 */
2721 	if (peer->t21_last > 0 && peer->t34_bytes > 0) {
2722 		itemp = peer->t21_bytes - peer->t21_last;
2723 		if (itemp > 25) {
2724 			etemp = t21 - peer->t21;
2725 			if (fabs(etemp) > 1e-6) {
2726 				ftemp = itemp / etemp;
2727 				if (ftemp > 1000.)
2728 					peer->r21 = ftemp;
2729 			}
2730 		}
2731 		itemp = len - peer->t34_bytes;
2732 		if (itemp > 25) {
2733 			etemp = -t34 - peer->t34;
2734 			if (fabs(etemp) > 1e-6) {
2735 				ftemp = itemp / etemp;
2736 				if (ftemp > 1000.)
2737 					peer->r34 = ftemp;
2738 			}
2739 		}
2740 	}
2741 
2742 	/*
2743 	 * The following section compensates for different data rates on
2744 	 * the outbound (d21) and inbound (t34) directions. To do this,
2745 	 * it finds t such that r21 * t - r34 * (d - t) = 0, where d is
2746 	 * the roundtrip delay. Then it calculates the correction as a
2747 	 * fraction of d.
2748 	 */
2749 	peer->t21 = t21;
2750 	peer->t21_last = peer->t21_bytes;
2751 	peer->t34 = -t34;
2752 	peer->t34_bytes = len;
2753 	DPRINTF(2, ("packet: t21 %.9lf %d t34 %.9lf %d\n", peer->t21,
2754 		    peer->t21_bytes, peer->t34, peer->t34_bytes));
2755 	if (peer->r21 > 0 && peer->r34 > 0 && p_del > 0) {
2756 		if (peer->pmode != MODE_BROADCAST)
2757 			td = (peer->r34 / (peer->r21 + peer->r34) -
2758 			    .5) * p_del;
2759 		else
2760 			td = 0;
2761 
2762 		/*
2763 		 * Unfortunately, in many cases the errors are
2764 		 * unacceptable, so for the present the rates are not
2765 		 * used. In future, we might find conditions where the
2766 		 * calculations are useful, so this should be considered
2767 		 * a work in progress.
2768 		 */
2769 		t21 -= td;
2770 		t34 -= td;
2771 		DPRINTF(2, ("packet: del %.6lf r21 %.1lf r34 %.1lf %.6lf\n",
2772 			    p_del, peer->r21 / 1e3, peer->r34 / 1e3,
2773 			    td));
2774 	}
2775 #endif /* ASSYM */
2776 
2777 	/*
2778 	 * That was awesome. Now hand off to the clock filter.
2779 	 */
2780 	clock_filter(peer, p_offset + peer->bias, p_del, p_disp);
2781 
2782 	/*
2783 	 * If we are in broadcast calibrate mode, return to broadcast
2784 	 * client mode when the client is fit and the autokey dance is
2785 	 * complete.
2786 	 */
2787 	if (   (FLAG_BC_VOL & peer->flags)
2788 	    && MODE_CLIENT == peer->hmode
2789 	    && !(TEST11 & peer_unfit(peer))) {	/* distance exceeded */
2790 #ifdef AUTOKEY
2791 		if (peer->flags & FLAG_SKEY) {
2792 			if (!(~peer->crypto & CRYPTO_FLAG_ALL))
2793 				peer->hmode = MODE_BCLIENT;
2794 		} else {
2795 			peer->hmode = MODE_BCLIENT;
2796 		}
2797 #else	/* !AUTOKEY follows */
2798 		peer->hmode = MODE_BCLIENT;
2799 #endif	/* !AUTOKEY */
2800 	}
2801 }
2802 
2803 
2804 /*
2805  * clock_update - Called at system process update intervals.
2806  */
2807 static void
2808 clock_update(
2809 	struct peer *peer	/* peer structure pointer */
2810 	)
2811 {
2812 	double	dtemp;
2813 	l_fp	now;
2814 #ifdef HAVE_LIBSCF_H
2815 	char	*fmri;
2816 #endif /* HAVE_LIBSCF_H */
2817 
2818 	/*
2819 	 * Update the system state variables. We do this very carefully,
2820 	 * as the poll interval might need to be clamped differently.
2821 	 */
2822 	sys_peer = peer;
2823 	sys_epoch = peer->epoch;
2824 	if (sys_poll < peer->minpoll)
2825 		sys_poll = peer->minpoll;
2826 	if (sys_poll > peer->maxpoll)
2827 		sys_poll = peer->maxpoll;
2828 	poll_update(peer, sys_poll, 0);
2829 	sys_stratum = min(peer->stratum + 1, STRATUM_UNSPEC);
2830 	if (   peer->stratum == STRATUM_REFCLOCK
2831 	    || peer->stratum == STRATUM_UNSPEC)
2832 		sys_refid = peer->refid;
2833 	else
2834 		sys_refid = addr2refid(&peer->srcadr);
2835 	/*
2836 	 * Root Dispersion (E) is defined (in RFC 5905) as:
2837 	 *
2838 	 * E = p.epsilon_r + p.epsilon + p.psi + PHI*(s.t - p.t) + |THETA|
2839 	 *
2840 	 * where:
2841 	 *  p.epsilon_r is the PollProc's root dispersion
2842 	 *  p.epsilon   is the PollProc's dispersion
2843 	 *  p.psi       is the PollProc's jitter
2844 	 *  THETA       is the combined offset
2845 	 *
2846 	 * NB: Think Hard about where these numbers come from and
2847 	 * what they mean.  When did peer->update happen?  Has anything
2848 	 * interesting happened since then?  What values are the most
2849 	 * defensible?  Why?
2850 	 *
2851 	 * DLM thinks this equation is probably the best of all worse choices.
2852 	 */
2853 	dtemp	= peer->rootdisp
2854 		+ peer->disp
2855 		+ sys_jitter
2856 		+ clock_phi * (current_time - peer->update)
2857 		+ fabs(sys_offset);
2858 
2859 	p2_rootdisp = prev_rootdisp;
2860 	prev_rootdisp = sys_rootdisp;
2861 	if (dtemp > sys_mindisp)
2862 		sys_rootdisp = dtemp;
2863 	else
2864 		sys_rootdisp = sys_mindisp;
2865 
2866 	sys_rootdelay = peer->delay + peer->rootdelay;
2867 
2868 	p2_reftime = prev_reftime;
2869 	p2_time = prev_time;
2870 
2871 	prev_reftime = sys_reftime;
2872 	prev_time = current_time + 64 + (rand() & 0x3f);	/* 64-127 s */
2873 
2874 	sys_reftime = peer->dst;
2875 
2876 	DPRINTF(1, ("clock_update: at %lu sample %lu associd %d\n",
2877 		    current_time, peer->epoch, peer->associd));
2878 
2879 	/*
2880 	 * Comes now the moment of truth. Crank the clock discipline and
2881 	 * see what comes out.
2882 	 */
2883 	switch (local_clock(peer, sys_offset)) {
2884 
2885 	/*
2886 	 * Clock exceeds panic threshold. Life as we know it ends.
2887 	 */
2888 	case -1:
2889 #ifdef HAVE_LIBSCF_H
2890 		/*
2891 		 * For Solaris enter the maintenance mode.
2892 		 */
2893 		if ((fmri = getenv("SMF_FMRI")) != NULL) {
2894 			if (smf_maintain_instance(fmri, 0) < 0) {
2895 				printf("smf_maintain_instance: %s\n",
2896 				    scf_strerror(scf_error()));
2897 				exit(1);
2898 			}
2899 			/*
2900 			 * Sleep until SMF kills us.
2901 			 */
2902 			for (;;)
2903 				pause();
2904 		}
2905 #endif /* HAVE_LIBSCF_H */
2906 		exit (-1);
2907 		/* not reached */
2908 
2909 	/*
2910 	 * Clock was stepped. Flush all time values of all peers.
2911 	 */
2912 	case 2:
2913 		clear_all();
2914 		set_sys_leap(LEAP_NOTINSYNC);
2915 		sys_stratum = STRATUM_UNSPEC;
2916 		memcpy(&sys_refid, "STEP", 4);
2917 		sys_rootdelay = 0;
2918 		p2_rootdisp = 0;
2919 		prev_rootdisp = 0;
2920 		sys_rootdisp = 0;
2921 		L_CLR(&p2_reftime);	/* Should we clear p2_reftime? */
2922 		L_CLR(&prev_reftime);	/* Should we clear prev_reftime? */
2923 		L_CLR(&sys_reftime);
2924 		sys_jitter = LOGTOD(sys_precision);
2925 		leapsec_reset_frame();
2926 		break;
2927 
2928 	/*
2929 	 * Clock was slewed. Handle the leapsecond stuff.
2930 	 */
2931 	case 1:
2932 
2933 		/*
2934 		 * If this is the first time the clock is set, reset the
2935 		 * leap bits. If crypto, the timer will goose the setup
2936 		 * process.
2937 		 */
2938 		if (sys_leap == LEAP_NOTINSYNC) {
2939 			set_sys_leap(LEAP_NOWARNING);
2940 #ifdef AUTOKEY
2941 			if (crypto_flags)
2942 				crypto_update();
2943 #endif	/* AUTOKEY */
2944 			/*
2945 			 * If our parent process is waiting for the
2946 			 * first clock sync, send them home satisfied.
2947 			 */
2948 #ifdef HAVE_WORKING_FORK
2949 			if (daemon_pipe[1] != -1) {
2950 				write(daemon_pipe[1], "S\n", 2);
2951 				close(daemon_pipe[1]);
2952 				daemon_pipe[1] = -1;
2953 				DPRINTF(1, ("notified parent --wait-sync is done\n"));
2954 			}
2955 #endif /* HAVE_WORKING_FORK */
2956 
2957 		}
2958 
2959 		/*
2960 		 * If there is no leap second pending and the number of
2961 		 * survivor leap bits is greater than half the number of
2962 		 * survivors, try to schedule a leap for the end of the
2963 		 * current month. (This only works if no leap second for
2964 		 * that range is in the table, so doing this more than
2965 		 * once is mostly harmless.)
2966 		 */
2967 		if (leapsec == LSPROX_NOWARN) {
2968 			if (   leap_vote_ins > leap_vote_del
2969 			    && leap_vote_ins > sys_survivors / 2) {
2970 				get_systime(&now);
2971 				leapsec_add_dyn(TRUE, now.l_ui, NULL);
2972 			}
2973 			if (   leap_vote_del > leap_vote_ins
2974 			    && leap_vote_del > sys_survivors / 2) {
2975 				get_systime(&now);
2976 				leapsec_add_dyn(FALSE, now.l_ui, NULL);
2977 			}
2978 		}
2979 		break;
2980 
2981 	/*
2982 	 * Popcorn spike or step threshold exceeded. Pretend it never
2983 	 * happened.
2984 	 */
2985 	default:
2986 		break;
2987 	}
2988 }
2989 
2990 
2991 /*
2992  * poll_update - update peer poll interval
2993  */
2994 void
2995 poll_update(
2996 	struct peer *peer,	/* peer structure pointer */
2997 	u_char	mpoll,
2998 	u_char  skewpoll
2999 	)
3000 {
3001 	u_long	next, utemp, limit;
3002 	u_char	hpoll;
3003 
3004 	/*
3005 	 * This routine figures out when the next poll should be sent.
3006 	 * That turns out to be wickedly complicated. One problem is
3007 	 * that sometimes the time for the next poll is in the past when
3008 	 * the poll interval is reduced. We watch out for races here
3009 	 * between the receive process and the poll process.
3010 	 *
3011 	 * Clamp the poll interval between minpoll and maxpoll.
3012 	 */
3013 	hpoll = max(min(peer->maxpoll, mpoll), peer->minpoll);
3014 
3015 #ifdef AUTOKEY
3016 	/*
3017 	 * If during the crypto protocol the poll interval has changed,
3018 	 * the lifetimes in the key list are probably bogus. Purge the
3019 	 * the key list and regenerate it later.
3020 	 */
3021 	if ((peer->flags & FLAG_SKEY) && hpoll != peer->hpoll)
3022 		key_expire(peer);
3023 #endif	/* AUTOKEY */
3024 	peer->hpoll = hpoll;
3025 
3026 	/*
3027 	 * There are three variables important for poll scheduling, the
3028 	 * current time (current_time), next scheduled time (nextdate)
3029 	 * and the earliest time (utemp). The earliest time is 2 s
3030 	 * seconds, but could be more due to rate management. When
3031 	 * sending in a burst, use the earliest time. When not in a
3032 	 * burst but with a reply pending, send at the earliest time
3033 	 * unless the next scheduled time has not advanced. This can
3034 	 * only happen if multiple replies are pending in the same
3035 	 * response interval. Otherwise, send at the later of the next
3036 	 * scheduled time and the earliest time.
3037 	 *
3038 	 * Now we figure out if there is an override. If a burst is in
3039 	 * progress and we get called from the receive process, just
3040 	 * slink away. If called from the poll process, delay 1 s for a
3041 	 * reference clock, otherwise 2 s.
3042 	 */
3043 	utemp = current_time + max(peer->throttle - (NTP_SHIFT - 1) *
3044 	    (1 << peer->minpoll), ntp_minpkt);
3045 
3046  	/*[Bug 3592] avoid unlimited postpone of next poll */
3047 	limit = (2u << hpoll);
3048 	if (limit > 64)
3049 		limit -= (limit >> 2);
3050 	limit += peer->outdate;
3051 	if (limit < current_time)
3052 		limit = current_time;
3053 
3054 	if (peer->burst > 0) {
3055 		if (peer->nextdate > current_time)
3056 			return;
3057 #ifdef REFCLOCK
3058 		else if (peer->flags & FLAG_REFCLOCK)
3059 			peer->nextdate = current_time + RESP_DELAY;
3060 #endif /* REFCLOCK */
3061 		else
3062 			peer->nextdate = utemp;
3063 
3064 #ifdef AUTOKEY
3065 	/*
3066 	 * If a burst is not in progress and a crypto response message
3067 	 * is pending, delay 2 s, but only if this is a new interval.
3068 	 */
3069 	} else if (peer->cmmd != NULL) {
3070 		if (peer->nextdate > current_time) {
3071 			if (peer->nextdate + ntp_minpkt != utemp)
3072 				peer->nextdate = utemp;
3073 		} else {
3074 			peer->nextdate = utemp;
3075 		}
3076 #endif	/* AUTOKEY */
3077 
3078 	/*
3079 	 * The ordinary case. If a retry, use minpoll; if unreachable,
3080 	 * use host poll; otherwise, use the minimum of host and peer
3081 	 * polls; In other words, oversampling is okay but
3082 	 * understampling is evil. Use the maximum of this value and the
3083 	 * headway. If the average headway is greater than the headway
3084 	 * threshold, increase the headway by the minimum interval.
3085 	 */
3086 	} else {
3087 		if (peer->retry > 0)
3088 			hpoll = peer->minpoll;
3089 		else
3090 			hpoll = min(peer->ppoll, peer->hpoll);
3091 #ifdef REFCLOCK
3092 		if (peer->flags & FLAG_REFCLOCK)
3093 			next = 1 << hpoll;
3094 		else
3095 #endif /* REFCLOCK */
3096 			next = ((0x1000UL | (ntp_random() & 0x0ff)) <<
3097 			    hpoll) >> 12;
3098 		next += peer->outdate;
3099 		/* XXX: bug3596: Deal with poll skew list? */
3100 		if (skewpoll) {
3101 			psl_item psi;
3102 
3103 			if (0 == get_pollskew(hpoll, &psi)) {
3104 				int sub = psi.sub;
3105 				int qty = psi.qty;
3106 				int msk = psi.msk;
3107 				int val;
3108 
3109 				if (   0 != sub
3110 				    || 0 != qty) {
3111 				    	do {
3112 						val = ntp_random() & msk;
3113 					} while (val > qty);
3114 
3115 					next -= sub;
3116 					next += val;
3117 				}
3118 			} else {
3119 				/* get_pollskew() already logged this */
3120 			}
3121 		}
3122 		if (next > utemp)
3123 			peer->nextdate = next;
3124 		else
3125 			peer->nextdate = utemp;
3126 		if (peer->throttle > (1 << peer->minpoll))
3127 			peer->nextdate += ntp_minpkt;
3128 	}
3129 
3130  	/*[Bug 3592] avoid unlimited postpone of next poll */
3131 	if (peer->nextdate > limit) {
3132 		DPRINTF(1, ("poll_update: clamp reached; limit %lu next %lu\n",
3133 			    limit, peer->nextdate));
3134 		peer->nextdate = limit;
3135 	}
3136 	DPRINTF(2, ("poll_update: at %lu %s poll %d burst %d retry %d head %d early %lu next %lu\n",
3137 		    current_time, ntoa(&peer->srcadr), peer->hpoll,
3138 		    peer->burst, peer->retry, peer->throttle,
3139 		    utemp - current_time, peer->nextdate -
3140 		    current_time));
3141 }
3142 
3143 
3144 /*
3145  * peer_clear - clear peer filter registers.  See Section 3.4.8 of the
3146  * spec.
3147  */
3148 void
3149 peer_clear(
3150 	struct peer *peer,		/* peer structure */
3151 	const char *ident		/* tally lights */
3152 	)
3153 {
3154 	u_char	u;
3155 	l_fp	bxmt = peer->bxmt;	/* bcast clients retain this! */
3156 
3157 #ifdef AUTOKEY
3158 	/*
3159 	 * If cryptographic credentials have been acquired, toss them to
3160 	 * Valhalla. Note that autokeys are ephemeral, in that they are
3161 	 * tossed immediately upon use. Therefore, the keylist can be
3162 	 * purged anytime without needing to preserve random keys. Note
3163 	 * that, if the peer is purged, the cryptographic variables are
3164 	 * purged, too. This makes it much harder to sneak in some
3165 	 * unauthenticated data in the clock filter.
3166 	 */
3167 	key_expire(peer);
3168 	if (peer->iffval != NULL)
3169 		BN_free(peer->iffval);
3170 	value_free(&peer->cookval);
3171 	value_free(&peer->recval);
3172 	value_free(&peer->encrypt);
3173 	value_free(&peer->sndval);
3174 	if (peer->cmmd != NULL)
3175 		free(peer->cmmd);
3176 	if (peer->subject != NULL)
3177 		free(peer->subject);
3178 	if (peer->issuer != NULL)
3179 		free(peer->issuer);
3180 #endif /* AUTOKEY */
3181 
3182 	/*
3183 	 * Clear all values, including the optional crypto values above.
3184 	 */
3185 	memset(CLEAR_TO_ZERO(peer), 0, LEN_CLEAR_TO_ZERO(peer));
3186 	peer->ppoll = peer->maxpoll;
3187 	peer->hpoll = peer->minpoll;
3188 	peer->disp = MAXDISPERSE;
3189 	peer->flash = peer_unfit(peer);
3190 	peer->jitter = LOGTOD(sys_precision);
3191 
3192 	/* Don't throw away our broadcast replay protection */
3193 	if (peer->hmode == MODE_BCLIENT)
3194 		peer->bxmt = bxmt;
3195 
3196 	/*
3197 	 * If interleave mode, initialize the alternate origin switch.
3198 	 */
3199 	if (peer->flags & FLAG_XLEAVE)
3200 		peer->flip = 1;
3201 	for (u = 0; u < NTP_SHIFT; u++) {
3202 		peer->filter_order[u] = u;
3203 		peer->filter_disp[u] = MAXDISPERSE;
3204 	}
3205 #ifdef REFCLOCK
3206 	if (!(peer->flags & FLAG_REFCLOCK)) {
3207 #endif
3208 		peer->leap = LEAP_NOTINSYNC;
3209 		peer->stratum = STRATUM_UNSPEC;
3210 		memcpy(&peer->refid, ident, 4);
3211 #ifdef REFCLOCK
3212 	} else {
3213 		/* Clear refclock sample filter */
3214 		peer->procptr->codeproc = 0;
3215 		peer->procptr->coderecv = 0;
3216 	}
3217 #endif
3218 
3219 	/*
3220 	 * During initialization use the association count to spread out
3221 	 * the polls at one-second intervals. Passive associations'
3222 	 * first poll is delayed by the "discard minimum" to avoid rate
3223 	 * limiting. Other post-startup new or cleared associations
3224 	 * randomize the first poll over the minimum poll interval to
3225 	 * avoid implosion.
3226 	 */
3227 	peer->nextdate = peer->update = peer->outdate = current_time;
3228 	if (initializing) {
3229 		peer->nextdate += peer_associations;
3230 	} else if (MODE_PASSIVE == peer->hmode) {
3231 		peer->nextdate += ntp_minpkt;
3232 	} else {
3233 		peer->nextdate += ntp_random() % peer->minpoll;
3234 	}
3235 #ifdef AUTOKEY
3236 	peer->refresh = current_time + (1 << NTP_REFRESH);
3237 #endif	/* AUTOKEY */
3238 	DPRINTF(1, ("peer_clear: at %ld next %ld associd %d refid %s\n",
3239 		    current_time, peer->nextdate, peer->associd,
3240 		    ident));
3241 }
3242 
3243 
3244 /*
3245  * clock_filter - add incoming clock sample to filter register and run
3246  *		  the filter procedure to find the best sample.
3247  */
3248 void
3249 clock_filter(
3250 	struct peer *peer,		/* peer structure pointer */
3251 	double	sample_offset,		/* clock offset */
3252 	double	sample_delay,		/* roundtrip delay */
3253 	double	sample_disp		/* dispersion */
3254 	)
3255 {
3256 	double	dst[NTP_SHIFT];		/* distance vector */
3257 	int	ord[NTP_SHIFT];		/* index vector */
3258 	int	i, j, k, m;
3259 	double	dtemp, etemp;
3260 	char	tbuf[80];
3261 
3262 	/*
3263 	 * A sample consists of the offset, delay, dispersion and epoch
3264 	 * of arrival. The offset and delay are determined by the on-
3265 	 * wire protocol. The dispersion grows from the last outbound
3266 	 * packet to the arrival of this one increased by the sum of the
3267 	 * peer precision and the system precision as required by the
3268 	 * error budget. First, shift the new arrival into the shift
3269 	 * register discarding the oldest one.
3270 	 */
3271 	j = peer->filter_nextpt;
3272 	peer->filter_offset[j] = sample_offset;
3273 	peer->filter_delay[j] = sample_delay;
3274 	peer->filter_disp[j] = sample_disp;
3275 	peer->filter_epoch[j] = current_time;
3276 	j = (j + 1) % NTP_SHIFT;
3277 	peer->filter_nextpt = j;
3278 
3279 	/*
3280 	 * Update dispersions since the last update and at the same
3281 	 * time initialize the distance and index lists. Since samples
3282 	 * become increasingly uncorrelated beyond the Allan intercept,
3283 	 * only under exceptional cases will an older sample be used.
3284 	 * Therefore, the distance list uses a compound metric. If the
3285 	 * dispersion is greater than the maximum dispersion, clamp the
3286 	 * distance at that value. If the time since the last update is
3287 	 * less than the Allan intercept use the delay; otherwise, use
3288 	 * the sum of the delay and dispersion.
3289 	 */
3290 	dtemp = clock_phi * (current_time - peer->update);
3291 	peer->update = current_time;
3292 	for (i = NTP_SHIFT - 1; i >= 0; i--) {
3293 		if (i != 0)
3294 			peer->filter_disp[j] += dtemp;
3295 		if (peer->filter_disp[j] >= MAXDISPERSE) {
3296 			peer->filter_disp[j] = MAXDISPERSE;
3297 			dst[i] = MAXDISPERSE;
3298 		} else if (peer->update - peer->filter_epoch[j] >
3299 		    (u_long)ULOGTOD(allan_xpt)) {
3300 			dst[i] = peer->filter_delay[j] +
3301 			    peer->filter_disp[j];
3302 		} else {
3303 			dst[i] = peer->filter_delay[j];
3304 		}
3305 		ord[i] = j;
3306 		j = (j + 1) % NTP_SHIFT;
3307 	}
3308 
3309 	/*
3310 	 * If the clock has stabilized, sort the samples by distance.
3311 	 */
3312 	if (freq_cnt == 0) {
3313 		for (i = 1; i < NTP_SHIFT; i++) {
3314 			for (j = 0; j < i; j++) {
3315 				if (dst[j] > dst[i]) {
3316 					k = ord[j];
3317 					ord[j] = ord[i];
3318 					ord[i] = k;
3319 					etemp = dst[j];
3320 					dst[j] = dst[i];
3321 					dst[i] = etemp;
3322 				}
3323 			}
3324 		}
3325 	}
3326 
3327 	/*
3328 	 * Copy the index list to the association structure so ntpq
3329 	 * can see it later. Prune the distance list to leave only
3330 	 * samples less than the maximum dispersion, which disfavors
3331 	 * uncorrelated samples older than the Allan intercept. To
3332 	 * further improve the jitter estimate, of the remainder leave
3333 	 * only samples less than the maximum distance, but keep at
3334 	 * least two samples for jitter calculation.
3335 	 */
3336 	m = 0;
3337 	for (i = 0; i < NTP_SHIFT; i++) {
3338 		peer->filter_order[i] = (u_char) ord[i];
3339 		if (   dst[i] >= MAXDISPERSE
3340 		    || (m >= 2 && dst[i] >= sys_maxdist))
3341 			continue;
3342 		m++;
3343 	}
3344 
3345 	/*
3346 	 * Compute the dispersion and jitter. The dispersion is weighted
3347 	 * exponentially by NTP_FWEIGHT (0.5) so it is normalized close
3348 	 * to 1.0. The jitter is the RMS differences relative to the
3349 	 * lowest delay sample.
3350 	 */
3351 	peer->disp = peer->jitter = 0;
3352 	k = ord[0];
3353 	for (i = NTP_SHIFT - 1; i >= 0; i--) {
3354 		j = ord[i];
3355 		peer->disp = NTP_FWEIGHT * (peer->disp +
3356 		    peer->filter_disp[j]);
3357 		if (i < m)
3358 			peer->jitter += DIFF(peer->filter_offset[j],
3359 			    peer->filter_offset[k]);
3360 	}
3361 
3362 	/*
3363 	 * If no acceptable samples remain in the shift register,
3364 	 * quietly tiptoe home leaving only the dispersion. Otherwise,
3365 	 * save the offset, delay and jitter. Note the jitter must not
3366 	 * be less than the precision.
3367 	 */
3368 	if (m == 0) {
3369 		clock_select();
3370 		return;
3371 	}
3372 	etemp = fabs(peer->offset - peer->filter_offset[k]);
3373 	peer->offset = peer->filter_offset[k];
3374 	peer->delay = peer->filter_delay[k];
3375 	if (m > 1)
3376 		peer->jitter /= m - 1;
3377 	peer->jitter = max(SQRT(peer->jitter), LOGTOD(sys_precision));
3378 
3379 	/*
3380 	 * If the the new sample and the current sample are both valid
3381 	 * and the difference between their offsets exceeds CLOCK_SGATE
3382 	 * (3) times the jitter and the interval between them is less
3383 	 * than twice the host poll interval, consider the new sample
3384 	 * a popcorn spike and ignore it.
3385 	 */
3386 	if (   peer->disp < sys_maxdist
3387 	    && peer->filter_disp[k] < sys_maxdist
3388 	    && etemp > CLOCK_SGATE * peer->jitter
3389 	    && peer->filter_epoch[k] - peer->epoch
3390 	       < 2. * ULOGTOD(peer->hpoll)) {
3391 		snprintf(tbuf, sizeof(tbuf), "%.6f s", etemp);
3392 		report_event(PEVNT_POPCORN, peer, tbuf);
3393 		return;
3394 	}
3395 
3396 	/*
3397 	 * A new minimum sample is useful only if it is later than the
3398 	 * last one used. In this design the maximum lifetime of any
3399 	 * sample is not greater than eight times the poll interval, so
3400 	 * the maximum interval between minimum samples is eight
3401 	 * packets.
3402 	 */
3403 	if (peer->filter_epoch[k] <= peer->epoch) {
3404 	DPRINTF(2, ("clock_filter: old sample %lu\n", current_time -
3405 		    peer->filter_epoch[k]));
3406 		return;
3407 	}
3408 	peer->epoch = peer->filter_epoch[k];
3409 
3410 	/*
3411 	 * The mitigated sample statistics are saved for later
3412 	 * processing. If not synchronized or not in a burst, tickle the
3413 	 * clock select algorithm.
3414 	 */
3415 	record_peer_stats(&peer->srcadr, ctlpeerstatus(peer),
3416 	    peer->offset, peer->delay, peer->disp, peer->jitter);
3417 	DPRINTF(1, ("clock_filter: n %d off %.6f del %.6f dsp %.6f jit %.6f\n",
3418 		    m, peer->offset, peer->delay, peer->disp,
3419 		    peer->jitter));
3420 	if (peer->burst == 0 || sys_leap == LEAP_NOTINSYNC)
3421 		clock_select();
3422 }
3423 
3424 
3425 /*
3426  * clock_select - find the pick-of-the-litter clock
3427  *
3428  * LOCKCLOCK: (1) If the local clock is the prefer peer, it will always
3429  * be enabled, even if declared falseticker, (2) only the prefer peer
3430  * can be selected as the system peer, (3) if the external source is
3431  * down, the system leap bits are set to 11 and the stratum set to
3432  * infinity.
3433  */
3434 void
3435 clock_select(void)
3436 {
3437 	struct peer *peer;
3438 	int	i, j, k, n;
3439 	int	nlist, nl2;
3440 	int	allow;
3441 	int	speer;
3442 	double	d, e, f, g;
3443 	double	high, low;
3444 	double	speermet;
3445 	double	lastresort_dist = MAXDISPERSE;
3446 	double	orphmet = 2.0 * U_INT32_MAX; /* 2x is greater than */
3447 	struct endpoint endp;
3448 	struct peer *osys_peer;
3449 	struct peer *sys_prefer = NULL;	/* prefer peer */
3450 	struct peer *typesystem = NULL;
3451 	struct peer *typelastresort = NULL;
3452 	struct peer *typeorphan = NULL;
3453 #ifdef REFCLOCK
3454 	struct peer *typeacts = NULL;
3455 	struct peer *typelocal = NULL;
3456 	struct peer *typepps = NULL;
3457 #endif /* REFCLOCK */
3458 	static struct endpoint *endpoint = NULL;
3459 	static int *indx = NULL;
3460 	static peer_select *peers = NULL;
3461 	static u_int endpoint_size = 0;
3462 	static u_int peers_size = 0;
3463 	static u_int indx_size = 0;
3464 	size_t octets;
3465 
3466 	/*
3467 	 * Initialize and create endpoint, index and peer lists big
3468 	 * enough to handle all associations.
3469 	 */
3470 	osys_peer = sys_peer;
3471 	sys_survivors = 0;
3472 #ifdef LOCKCLOCK
3473 	set_sys_leap(LEAP_NOTINSYNC);
3474 	sys_stratum = STRATUM_UNSPEC;
3475 	memcpy(&sys_refid, "DOWN", 4);
3476 #endif /* LOCKCLOCK */
3477 
3478 	/*
3479 	 * Allocate dynamic space depending on the number of
3480 	 * associations.
3481 	 */
3482 	nlist = 1;
3483 	for (peer = peer_list; peer != NULL; peer = peer->p_link)
3484 		nlist++;
3485 	endpoint_size = ALIGNED_SIZE(nlist * 2 * sizeof(*endpoint));
3486 	peers_size = ALIGNED_SIZE(nlist * sizeof(*peers));
3487 	indx_size = ALIGNED_SIZE(nlist * 2 * sizeof(*indx));
3488 	octets = endpoint_size + peers_size + indx_size;
3489 	endpoint = erealloc(endpoint, octets);
3490 	peers = INC_ALIGNED_PTR(endpoint, endpoint_size);
3491 	indx = INC_ALIGNED_PTR(peers, peers_size);
3492 
3493 	/*
3494 	 * Initially, we populate the island with all the rifraff peers
3495 	 * that happen to be lying around. Those with seriously
3496 	 * defective clocks are immediately booted off the island. Then,
3497 	 * the falsetickers are culled and put to sea. The truechimers
3498 	 * remaining are subject to repeated rounds where the most
3499 	 * unpopular at each round is kicked off. When the population
3500 	 * has dwindled to sys_minclock, the survivors split a million
3501 	 * bucks and collectively crank the chimes.
3502 	 */
3503 	nlist = nl2 = 0;	/* none yet */
3504 	for (peer = peer_list; peer != NULL; peer = peer->p_link) {
3505 		peer->new_status = CTL_PST_SEL_REJECT;
3506 
3507 		/*
3508 		 * Leave the island immediately if the peer is
3509 		 * unfit to synchronize.
3510 		 */
3511 		if (peer_unfit(peer)) {
3512 			continue;
3513 		}
3514 
3515 		/*
3516 		 * If we have never been synchronised, look for any peer
3517 		 * which has ever been synchronised and pick the one which
3518 		 * has the lowest root distance. This can be used as a last
3519 		 * resort if all else fails. Once we get an initial sync
3520 		 * with this peer, sys_reftime gets set and so this
3521 		 * function becomes disabled.
3522 		 */
3523 		if (L_ISZERO(&sys_reftime)) {
3524 			d = root_distance(peer);
3525 			if (!L_ISZERO(&peer->reftime) && d < lastresort_dist) {
3526 				typelastresort = peer;
3527 				lastresort_dist = d;
3528 			}
3529 		}
3530 
3531 		/*
3532 		 * If this peer is an orphan parent, elect the
3533 		 * one with the lowest metric defined as the
3534 		 * IPv4 address or the first 64 bits of the
3535 		 * hashed IPv6 address.  To ensure convergence
3536 		 * on the same selected orphan, consider as
3537 		 * well that this system may have the lowest
3538 		 * metric and be the orphan parent.  If this
3539 		 * system wins, sys_peer will be NULL to trigger
3540 		 * orphan mode in timer().
3541 		 */
3542 		if (peer->stratum == sys_orphan) {
3543 			u_int32	localmet;
3544 			u_int32 peermet;
3545 
3546 			if (peer->dstadr != NULL)
3547 				localmet = ntohl(peer->dstadr->addr_refid);
3548 			else
3549 				localmet = U_INT32_MAX;
3550 			peermet = ntohl(addr2refid(&peer->srcadr));
3551 			if (peermet < localmet && peermet < orphmet) {
3552 				typeorphan = peer;
3553 				orphmet = peermet;
3554 			}
3555 			continue;
3556 		}
3557 
3558 		/*
3559 		 * If this peer could have the orphan parent
3560 		 * as a synchronization ancestor, exclude it
3561 		 * from selection to avoid forming a
3562 		 * synchronization loop within the orphan mesh,
3563 		 * triggering stratum climb to infinity
3564 		 * instability.  Peers at stratum higher than
3565 		 * the orphan stratum could have the orphan
3566 		 * parent in ancestry so are excluded.
3567 		 * See http://bugs.ntp.org/2050
3568 		 */
3569 		if (peer->stratum > sys_orphan) {
3570 			continue;
3571 		}
3572 #ifdef REFCLOCK
3573 		/*
3574 		 * The following are special cases. We deal
3575 		 * with them later.
3576 		 */
3577 		if (!(peer->flags & FLAG_PREFER)) {
3578 			switch (peer->refclktype) {
3579 			case REFCLK_LOCALCLOCK:
3580 				if (   current_time > orphwait
3581 				    && typelocal == NULL)
3582 					typelocal = peer;
3583 				continue;
3584 
3585 			case REFCLK_ACTS:
3586 				if (   current_time > orphwait
3587 				    && typeacts == NULL)
3588 					typeacts = peer;
3589 				continue;
3590 			}
3591 		}
3592 #endif /* REFCLOCK */
3593 
3594 		/*
3595 		 * If we get this far, the peer can stay on the
3596 		 * island, but does not yet have the immunity
3597 		 * idol.
3598 		 */
3599 		peer->new_status = CTL_PST_SEL_SANE;
3600 		f = root_distance(peer);
3601 		peers[nlist].peer = peer;
3602 		peers[nlist].error = peer->jitter;
3603 		peers[nlist].synch = f;
3604 		nlist++;
3605 
3606 		/*
3607 		 * Insert each interval endpoint on the unsorted
3608 		 * endpoint[] list.
3609 		 */
3610 		e = peer->offset;
3611 		endpoint[nl2].type = -1;	/* lower end */
3612 		endpoint[nl2].val = e - f;
3613 		nl2++;
3614 		endpoint[nl2].type = 1;		/* upper end */
3615 		endpoint[nl2].val = e + f;
3616 		nl2++;
3617 	}
3618 	/*
3619 	 * Construct sorted indx[] of endpoint[] indexes ordered by
3620 	 * offset.
3621 	 */
3622 	for (i = 0; i < nl2; i++)
3623 		indx[i] = i;
3624 	for (i = 0; i < nl2; i++) {
3625 		endp = endpoint[indx[i]];
3626 		e = endp.val;
3627 		k = i;
3628 		for (j = i + 1; j < nl2; j++) {
3629 			endp = endpoint[indx[j]];
3630 			if (endp.val < e) {
3631 				e = endp.val;
3632 				k = j;
3633 			}
3634 		}
3635 		if (k != i) {
3636 			j = indx[k];
3637 			indx[k] = indx[i];
3638 			indx[i] = j;
3639 		}
3640 	}
3641 	for (i = 0; i < nl2; i++)
3642 		DPRINTF(3, ("select: endpoint %2d %.6f\n",
3643 			endpoint[indx[i]].type, endpoint[indx[i]].val));
3644 
3645 	/*
3646 	 * This is the actual algorithm that cleaves the truechimers
3647 	 * from the falsetickers. The original algorithm was described
3648 	 * in Keith Marzullo's dissertation, but has been modified for
3649 	 * better accuracy.
3650 	 *
3651 	 * Briefly put, we first assume there are no falsetickers, then
3652 	 * scan the candidate list first from the low end upwards and
3653 	 * then from the high end downwards. The scans stop when the
3654 	 * number of intersections equals the number of candidates less
3655 	 * the number of falsetickers. If this doesn't happen for a
3656 	 * given number of falsetickers, we bump the number of
3657 	 * falsetickers and try again. If the number of falsetickers
3658 	 * becomes equal to or greater than half the number of
3659 	 * candidates, the Albanians have won the Byzantine wars and
3660 	 * correct synchronization is not possible.
3661 	 *
3662 	 * Here, nlist is the number of candidates and allow is the
3663 	 * number of falsetickers. Upon exit, the truechimers are the
3664 	 * survivors with offsets not less than low and not greater than
3665 	 * high. There may be none of them.
3666 	 */
3667 	low = 1e9;
3668 	high = -1e9;
3669 	for (allow = 0; 2 * allow < nlist; allow++) {
3670 
3671 		/*
3672 		 * Bound the interval (low, high) as the smallest
3673 		 * interval containing points from the most sources.
3674 		 */
3675 		n = 0;
3676 		for (i = 0; i < nl2; i++) {
3677 			low = endpoint[indx[i]].val;
3678 			n -= endpoint[indx[i]].type;
3679 			if (n >= nlist - allow)
3680 				break;
3681 		}
3682 		n = 0;
3683 		for (j = nl2 - 1; j >= 0; j--) {
3684 			high = endpoint[indx[j]].val;
3685 			n += endpoint[indx[j]].type;
3686 			if (n >= nlist - allow)
3687 				break;
3688 		}
3689 
3690 		/*
3691 		 * If an interval containing truechimers is found, stop.
3692 		 * If not, increase the number of falsetickers and go
3693 		 * around again.
3694 		 */
3695 		if (high > low)
3696 			break;
3697 	}
3698 
3699 	/*
3700 	 * Clustering algorithm. Whittle candidate list of falsetickers,
3701 	 * who leave the island immediately. The TRUE peer is always a
3702 	 * truechimer. We must leave at least one peer to collect the
3703 	 * million bucks.
3704 	 *
3705 	 * We assert the correct time is contained in the interval, but
3706 	 * the best offset estimate for the interval might not be
3707 	 * contained in the interval. For this purpose, a truechimer is
3708 	 * defined as the midpoint of an interval that overlaps the
3709 	 * intersection interval.
3710 	 */
3711 	j = 0;
3712 	for (i = 0; i < nlist; i++) {
3713 		double	h;
3714 
3715 		peer = peers[i].peer;
3716 		h = peers[i].synch;
3717 		if ((   high <= low
3718 		     || peer->offset + h < low
3719 		     || peer->offset - h > high
3720 		    ) && !(peer->flags & FLAG_TRUE))
3721 			continue;
3722 
3723 #ifdef REFCLOCK
3724 		/*
3725 		 * Eligible PPS peers must survive the intersection
3726 		 * algorithm. Use the first one found, but don't
3727 		 * include any of them in the cluster population.
3728 		 */
3729 		if (peer->flags & FLAG_PPS) {
3730 			if (typepps == NULL)
3731 				typepps = peer;
3732 			if (!(peer->flags & FLAG_TSTAMP_PPS))
3733 				continue;
3734 		}
3735 #endif /* REFCLOCK */
3736 
3737 		if (j != i)
3738 			peers[j] = peers[i];
3739 		j++;
3740 	}
3741 	nlist = j;
3742 
3743 	/*
3744 	 * If no survivors remain at this point, check if the modem
3745 	 * driver, local driver or orphan parent in that order. If so,
3746 	 * nominate the first one found as the only survivor.
3747 	 * Otherwise, give up and leave the island to the rats.
3748 	 */
3749 	if (nlist == 0) {
3750 		peers[0].error = 0;
3751 		peers[0].synch = sys_mindisp;
3752 #ifdef REFCLOCK
3753 		if (typeacts != NULL) {
3754 			peers[0].peer = typeacts;
3755 			nlist = 1;
3756 		} else if (typelocal != NULL) {
3757 			peers[0].peer = typelocal;
3758 			nlist = 1;
3759 		} else
3760 #endif /* REFCLOCK */
3761 		if (typeorphan != NULL) {
3762 			peers[0].peer = typeorphan;
3763 			nlist = 1;
3764 		} else if (typelastresort != NULL) {
3765 			peers[0].peer = typelastresort;
3766 			nlist = 1;
3767 		}
3768 	}
3769 
3770 	/*
3771 	 * Mark the candidates at this point as truechimers.
3772 	 */
3773 	for (i = 0; i < nlist; i++) {
3774 		peers[i].peer->new_status = CTL_PST_SEL_SELCAND;
3775 		DPRINTF(2, ("select: survivor %s %f\n",
3776 			stoa(&peers[i].peer->srcadr), peers[i].synch));
3777 	}
3778 
3779 	/*
3780 	 * Now, vote outliers off the island by select jitter weighted
3781 	 * by root distance. Continue voting as long as there are more
3782 	 * than sys_minclock survivors and the select jitter of the peer
3783 	 * with the worst metric is greater than the minimum peer
3784 	 * jitter. Stop if we are about to discard a TRUE or PREFER
3785 	 * peer, who of course have the immunity idol.
3786 	 */
3787 	while (1) {
3788 		d = 1e9;
3789 		e = -1e9;
3790 		g = 0;
3791 		k = 0;
3792 		for (i = 0; i < nlist; i++) {
3793 			if (peers[i].error < d)
3794 				d = peers[i].error;
3795 			peers[i].seljit = 0;
3796 			if (nlist > 1) {
3797 				f = 0;
3798 				for (j = 0; j < nlist; j++)
3799 					f += DIFF(peers[j].peer->offset,
3800 					    peers[i].peer->offset);
3801 				peers[i].seljit = SQRT(f / (nlist - 1));
3802 			}
3803 			if (peers[i].seljit * peers[i].synch > e) {
3804 				g = peers[i].seljit;
3805 				e = peers[i].seljit * peers[i].synch;
3806 				k = i;
3807 			}
3808 		}
3809 		g = max(g, LOGTOD(sys_precision));
3810 		if (   nlist <= max(1, sys_minclock)
3811 		    || g <= d
3812 		    || ((FLAG_TRUE | FLAG_PREFER) & peers[k].peer->flags))
3813 			break;
3814 
3815 		DPRINTF(3, ("select: drop %s seljit %.6f jit %.6f\n",
3816 			ntoa(&peers[k].peer->srcadr), g, d));
3817 		if (nlist > sys_maxclock)
3818 			peers[k].peer->new_status = CTL_PST_SEL_EXCESS;
3819 		for (j = k + 1; j < nlist; j++)
3820 			peers[j - 1] = peers[j];
3821 		nlist--;
3822 	}
3823 
3824 	/*
3825 	 * What remains is a list usually not greater than sys_minclock
3826 	 * peers. Note that unsynchronized peers cannot survive this
3827 	 * far.  Count and mark these survivors.
3828 	 *
3829 	 * While at it, count the number of leap warning bits found.
3830 	 * This will be used later to vote the system leap warning bit.
3831 	 * If a leap warning bit is found on a reference clock, the vote
3832 	 * is always won.
3833 	 *
3834 	 * Choose the system peer using a hybrid metric composed of the
3835 	 * selection jitter scaled by the root distance augmented by
3836 	 * stratum scaled by sys_mindisp (.001 by default). The goal of
3837 	 * the small stratum factor is to avoid clockhop between a
3838 	 * reference clock and a network peer which has a refclock and
3839 	 * is using an older ntpd, which does not floor sys_rootdisp at
3840 	 * sys_mindisp.
3841 	 *
3842 	 * In contrast, ntpd 4.2.6 and earlier used stratum primarily
3843 	 * in selecting the system peer, using a weight of 1 second of
3844 	 * additional root distance per stratum.  This heavy bias is no
3845 	 * longer appropriate, as the scaled root distance provides a
3846 	 * more rational metric carrying the cumulative error budget.
3847 	 */
3848 	e = 1e9;
3849 	speer = 0;
3850 	leap_vote_ins = 0;
3851 	leap_vote_del = 0;
3852 	for (i = 0; i < nlist; i++) {
3853 		peer = peers[i].peer;
3854 		peer->unreach = 0;
3855 		peer->new_status = CTL_PST_SEL_SYNCCAND;
3856 		sys_survivors++;
3857 		if (peer->leap == LEAP_ADDSECOND) {
3858 			if (peer->flags & FLAG_REFCLOCK)
3859 				leap_vote_ins = nlist;
3860 			else if (leap_vote_ins < nlist)
3861 				leap_vote_ins++;
3862 		}
3863 		if (peer->leap == LEAP_DELSECOND) {
3864 			if (peer->flags & FLAG_REFCLOCK)
3865 				leap_vote_del = nlist;
3866 			else if (leap_vote_del < nlist)
3867 				leap_vote_del++;
3868 		}
3869 		if (peer->flags & FLAG_PREFER)
3870 			sys_prefer = peer;
3871 		speermet = peers[i].seljit * peers[i].synch +
3872 		    peer->stratum * sys_mindisp;
3873 		if (speermet < e) {
3874 			e = speermet;
3875 			speer = i;
3876 		}
3877 	}
3878 
3879 	/*
3880 	 * Unless there are at least sys_misane survivors, leave the
3881 	 * building dark. Otherwise, do a clockhop dance. Ordinarily,
3882 	 * use the selected survivor speer. However, if the current
3883 	 * system peer is not speer, stay with the current system peer
3884 	 * as long as it doesn't get too old or too ugly.
3885 	 */
3886 	if (nlist > 0 && nlist >= sys_minsane) {
3887 		double	x;
3888 
3889 		typesystem = peers[speer].peer;
3890 		if (osys_peer == NULL || osys_peer == typesystem) {
3891 			sys_clockhop = 0;
3892 		} else if ((x = fabs(typesystem->offset -
3893 		    osys_peer->offset)) < sys_mindisp) {
3894 			if (sys_clockhop == 0)
3895 				sys_clockhop = sys_mindisp;
3896 			else
3897 				sys_clockhop *= .5;
3898 			DPRINTF(1, ("select: clockhop %d %.6f %.6f\n",
3899 				j, x, sys_clockhop));
3900 			if (fabs(x) < sys_clockhop)
3901 				typesystem = osys_peer;
3902 			else
3903 				sys_clockhop = 0;
3904 		} else {
3905 			sys_clockhop = 0;
3906 		}
3907 	}
3908 
3909 	/*
3910 	 * Mitigation rules of the game. We have the pick of the
3911 	 * litter in typesystem if any survivors are left. If
3912 	 * there is a prefer peer, use its offset and jitter.
3913 	 * Otherwise, use the combined offset and jitter of all kitters.
3914 	 */
3915 	if (typesystem != NULL) {
3916 		if (sys_prefer == NULL) {
3917 			typesystem->new_status = CTL_PST_SEL_SYSPEER;
3918 			clock_combine(peers, sys_survivors, speer);
3919 		} else {
3920 			typesystem = sys_prefer;
3921 			sys_clockhop = 0;
3922 			typesystem->new_status = CTL_PST_SEL_SYSPEER;
3923 			sys_offset = typesystem->offset;
3924 			sys_jitter = typesystem->jitter;
3925 		}
3926 		DPRINTF(1, ("select: combine offset %.9f jitter %.9f\n",
3927 			sys_offset, sys_jitter));
3928 	}
3929 #ifdef REFCLOCK
3930 	/*
3931 	 * If a PPS driver is lit and the combined offset is less than
3932 	 * 0.4 s, select the driver as the PPS peer and use its offset
3933 	 * and jitter. However, if this is the atom driver, use it only
3934 	 * if there is a prefer peer or there are no survivors and none
3935 	 * are required.
3936 	 */
3937 	if (   typepps != NULL
3938 	    && fabs(sys_offset) < 0.4
3939 	    && (   typepps->refclktype != REFCLK_ATOM_PPS
3940 		|| (   typepps->refclktype == REFCLK_ATOM_PPS
3941 		    && (   sys_prefer != NULL
3942 			|| (typesystem == NULL && sys_minsane == 0))))) {
3943 		typesystem = typepps;
3944 		sys_clockhop = 0;
3945 		typesystem->new_status = CTL_PST_SEL_PPS;
3946 		sys_offset = typesystem->offset;
3947 		sys_jitter = typesystem->jitter;
3948 		DPRINTF(1, ("select: pps offset %.9f jitter %.9f\n",
3949 			sys_offset, sys_jitter));
3950 	}
3951 #endif /* REFCLOCK */
3952 
3953 	/*
3954 	 * If there are no survivors at this point, there is no
3955 	 * system peer. If so and this is an old update, keep the
3956 	 * current statistics, but do not update the clock.
3957 	 */
3958 	if (typesystem == NULL) {
3959 		if (osys_peer != NULL) {
3960 			orphwait = current_time + sys_orphwait;
3961 			report_event(EVNT_NOPEER, NULL, NULL);
3962 		}
3963 		sys_peer = NULL;
3964 		for (peer = peer_list; peer != NULL; peer = peer->p_link)
3965 			peer->status = peer->new_status;
3966 		return;
3967 	}
3968 
3969 	/*
3970 	 * Do not use old data, as this may mess up the clock discipline
3971 	 * stability.
3972 	 */
3973 	if (typesystem->epoch <= sys_epoch)
3974 		return;
3975 
3976 	/*
3977 	 * We have found the alpha male. Wind the clock.
3978 	 */
3979 	if (osys_peer != typesystem)
3980 		report_event(PEVNT_NEWPEER, typesystem, NULL);
3981 	for (peer = peer_list; peer != NULL; peer = peer->p_link)
3982 		peer->status = peer->new_status;
3983 	clock_update(typesystem);
3984 }
3985 
3986 
3987 static void
3988 clock_combine(
3989 	peer_select *	peers,	/* survivor list */
3990 	int		npeers,	/* number of survivors */
3991 	int		syspeer	/* index of sys.peer */
3992 	)
3993 {
3994 	int	i;
3995 	double	x, y, z, w;
3996 
3997 	y = z = w = 0;
3998 	for (i = 0; i < npeers; i++) {
3999 		x = 1. / peers[i].synch;
4000 		y += x;
4001 		z += x * peers[i].peer->offset;
4002 		w += x * DIFF(peers[i].peer->offset,
4003 		    peers[syspeer].peer->offset);
4004 	}
4005 	sys_offset = z / y;
4006 	sys_jitter = SQRT(w / y + SQUARE(peers[syspeer].seljit));
4007 }
4008 
4009 
4010 /*
4011  * root_distance - compute synchronization distance from peer to root
4012  */
4013 static double
4014 root_distance(
4015 	struct peer *peer	/* peer structure pointer */
4016 	)
4017 {
4018 	double	dtemp;
4019 
4020 	/*
4021 	 * Root Distance (LAMBDA) is defined as:
4022 	 * (delta + DELTA)/2 + epsilon + EPSILON + D
4023 	 *
4024 	 * where:
4025 	 *  delta   is the round-trip delay
4026 	 *  DELTA   is the root delay
4027 	 *  epsilon is the peer dispersion
4028 	 *	    + (15 usec each second)
4029 	 *  EPSILON is the root dispersion
4030 	 *  D       is sys_jitter
4031 	 *
4032 	 * NB: Think hard about why we are using these values, and what
4033 	 * the alternatives are, and the various pros/cons.
4034 	 *
4035 	 * DLM thinks these are probably the best choices from any of the
4036 	 * other worse choices.
4037 	 */
4038 	dtemp = (peer->delay + peer->rootdelay) / 2
4039 		+ peer->disp
4040 		  + clock_phi * (current_time - peer->update)
4041 		+ peer->rootdisp
4042 		+ peer->jitter;
4043 	/*
4044 	 * Careful squeak here. The value returned must be greater than
4045 	 * the minimum root dispersion in order to avoid clockhop with
4046 	 * highly precise reference clocks. Note that the root distance
4047 	 * cannot exceed the sys_maxdist, as this is the cutoff by the
4048 	 * selection algorithm.
4049 	 */
4050 	if (dtemp < sys_mindisp)
4051 		dtemp = sys_mindisp;
4052 	return (dtemp);
4053 }
4054 
4055 
4056 /*
4057  * peer_xmit - send packet for persistent association.
4058  */
4059 static void
4060 peer_xmit(
4061 	struct peer *peer	/* peer structure pointer */
4062 	)
4063 {
4064 	struct pkt xpkt;	/* transmit packet */
4065 	size_t	sendlen, authlen;
4066 	keyid_t	xkeyid = 0;	/* transmit key ID */
4067 	l_fp	xmt_tx, xmt_ty;
4068 
4069 	if (!peer->dstadr)	/* drop peers without interface */
4070 		return;
4071 
4072 	xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap, peer->version,
4073 	    peer->hmode);
4074 	xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
4075 	xpkt.ppoll = peer->hpoll;
4076 	xpkt.precision = sys_precision;
4077 	xpkt.refid = sys_refid;
4078 	xpkt.rootdelay = HTONS_FP(DTOFP(sys_rootdelay));
4079 	xpkt.rootdisp =  HTONS_FP(DTOUFP(sys_rootdisp));
4080 	/* Use sys_reftime for peer exchanges */
4081 	HTONL_FP(&sys_reftime, &xpkt.reftime);
4082 	HTONL_FP(&peer->rec, &xpkt.org);
4083 	HTONL_FP(&peer->dst, &xpkt.rec);
4084 
4085 	/*
4086 	 * If the received packet contains a MAC, the transmitted packet
4087 	 * is authenticated and contains a MAC. If not, the transmitted
4088 	 * packet is not authenticated.
4089 	 *
4090 	 * It is most important when autokey is in use that the local
4091 	 * interface IP address be known before the first packet is
4092 	 * sent. Otherwise, it is not possible to compute a correct MAC
4093 	 * the recipient will accept. Thus, the I/O semantics have to do
4094 	 * a little more work. In particular, the wildcard interface
4095 	 * might not be usable.
4096 	 */
4097 	sendlen = LEN_PKT_NOMAC;
4098 	if (
4099 #ifdef AUTOKEY
4100 	    !(peer->flags & FLAG_SKEY) &&
4101 #endif	/* !AUTOKEY */
4102 	    peer->keyid == 0) {
4103 
4104 		/*
4105 		 * Transmit a-priori timestamps
4106 		 */
4107 		get_systime(&xmt_tx);
4108 		if (peer->flip == 0) {	/* basic mode */
4109 			peer->aorg = xmt_tx;
4110 			HTONL_FP(&xmt_tx, &xpkt.xmt);
4111 		} else {		/* interleaved modes */
4112 			if (peer->hmode == MODE_BROADCAST) { /* bcst */
4113 				HTONL_FP(&xmt_tx, &xpkt.xmt);
4114 				if (peer->flip > 0)
4115 					HTONL_FP(&peer->borg,
4116 					    &xpkt.org);
4117 				else
4118 					HTONL_FP(&peer->aorg,
4119 					    &xpkt.org);
4120 			} else {	/* symmetric */
4121 				if (peer->flip > 0)
4122 					HTONL_FP(&peer->borg,
4123 					    &xpkt.xmt);
4124 				else
4125 					HTONL_FP(&peer->aorg,
4126 					    &xpkt.xmt);
4127 			}
4128 		}
4129 		peer->t21_bytes = sendlen;
4130 		sendpkt(&peer->srcadr, peer->dstadr,
4131 			sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
4132 			&xpkt, sendlen);
4133 		peer->sent++;
4134 		peer->throttle += (1 << peer->minpoll) - 2;
4135 
4136 		/*
4137 		 * Capture a-posteriori timestamps
4138 		 */
4139 		get_systime(&xmt_ty);
4140 		if (peer->flip != 0) {		/* interleaved modes */
4141 			if (peer->flip > 0)
4142 				peer->aorg = xmt_ty;
4143 			else
4144 				peer->borg = xmt_ty;
4145 			peer->flip = -peer->flip;
4146 		}
4147 		L_SUB(&xmt_ty, &xmt_tx);
4148 		LFPTOD(&xmt_ty, peer->xleave);
4149 		DPRINTF(1, ("peer_xmit: at %ld %s->%s mode %d len %zu xmt %#010x.%08x\n",
4150 			    current_time,
4151 			    peer->dstadr ? stoa(&peer->dstadr->sin) : "-",
4152 			    stoa(&peer->srcadr), peer->hmode, sendlen,
4153 			    xmt_tx.l_ui, xmt_tx.l_uf));
4154 		return;
4155 	}
4156 
4157 	/*
4158 	 * Authentication is enabled, so the transmitted packet must be
4159 	 * authenticated. If autokey is enabled, fuss with the various
4160 	 * modes; otherwise, symmetric key cryptography is used.
4161 	 */
4162 #ifdef AUTOKEY
4163 	if (peer->flags & FLAG_SKEY) {
4164 		struct exten *exten;	/* extension field */
4165 
4166 		/*
4167 		 * The Public Key Dance (PKD): Cryptographic credentials
4168 		 * are contained in extension fields, each including a
4169 		 * 4-octet length/code word followed by a 4-octet
4170 		 * association ID and optional additional data. Optional
4171 		 * data includes a 4-octet data length field followed by
4172 		 * the data itself. Request messages are sent from a
4173 		 * configured association; response messages can be sent
4174 		 * from a configured association or can take the fast
4175 		 * path without ever matching an association. Response
4176 		 * messages have the same code as the request, but have
4177 		 * a response bit and possibly an error bit set. In this
4178 		 * implementation, a message may contain no more than
4179 		 * one command and one or more responses.
4180 		 *
4181 		 * Cryptographic session keys include both a public and
4182 		 * a private componet. Request and response messages
4183 		 * using extension fields are always sent with the
4184 		 * private component set to zero. Packets without
4185 		 * extension fields indlude the private component when
4186 		 * the session key is generated.
4187 		 */
4188 		while (1) {
4189 
4190 			/*
4191 			 * Allocate and initialize a keylist if not
4192 			 * already done. Then, use the list in inverse
4193 			 * order, discarding keys once used. Keep the
4194 			 * latest key around until the next one, so
4195 			 * clients can use client/server packets to
4196 			 * compute propagation delay.
4197 			 *
4198 			 * Note that once a key is used from the list,
4199 			 * it is retained in the key cache until the
4200 			 * next key is used. This is to allow a client
4201 			 * to retrieve the encrypted session key
4202 			 * identifier to verify authenticity.
4203 			 *
4204 			 * If for some reason a key is no longer in the
4205 			 * key cache, a birthday has happened or the key
4206 			 * has expired, so the pseudo-random sequence is
4207 			 * broken. In that case, purge the keylist and
4208 			 * regenerate it.
4209 			 */
4210 			if (peer->keynumber == 0)
4211 				make_keylist(peer, peer->dstadr);
4212 			else
4213 				peer->keynumber--;
4214 			xkeyid = peer->keylist[peer->keynumber];
4215 			if (authistrusted(xkeyid))
4216 				break;
4217 			else
4218 				key_expire(peer);
4219 		}
4220 		peer->keyid = xkeyid;
4221 		exten = NULL;
4222 		switch (peer->hmode) {
4223 
4224 		/*
4225 		 * In broadcast server mode the autokey values are
4226 		 * required by the broadcast clients. Push them when a
4227 		 * new keylist is generated; otherwise, push the
4228 		 * association message so the client can request them at
4229 		 * other times.
4230 		 */
4231 		case MODE_BROADCAST:
4232 			if (peer->flags & FLAG_ASSOC)
4233 				exten = crypto_args(peer, CRYPTO_AUTO |
4234 				    CRYPTO_RESP, peer->associd, NULL);
4235 			else
4236 				exten = crypto_args(peer, CRYPTO_ASSOC |
4237 				    CRYPTO_RESP, peer->associd, NULL);
4238 			break;
4239 
4240 		/*
4241 		 * In symmetric modes the parameter, certificate,
4242 		 * identity, cookie and autokey exchanges are
4243 		 * required. The leapsecond exchange is optional. But, a
4244 		 * peer will not believe the other peer until the other
4245 		 * peer has synchronized, so the certificate exchange
4246 		 * might loop until then. If a peer finds a broken
4247 		 * autokey sequence, it uses the autokey exchange to
4248 		 * retrieve the autokey values. In any case, if a new
4249 		 * keylist is generated, the autokey values are pushed.
4250 		 */
4251 		case MODE_ACTIVE:
4252 		case MODE_PASSIVE:
4253 
4254 			/*
4255 			 * Parameter, certificate and identity.
4256 			 */
4257 			if (!peer->crypto)
4258 				exten = crypto_args(peer, CRYPTO_ASSOC,
4259 				    peer->associd, hostval.ptr);
4260 			else if (!(peer->crypto & CRYPTO_FLAG_CERT))
4261 				exten = crypto_args(peer, CRYPTO_CERT,
4262 				    peer->associd, peer->issuer);
4263 			else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
4264 				exten = crypto_args(peer,
4265 				    crypto_ident(peer), peer->associd,
4266 				    NULL);
4267 
4268 			/*
4269 			 * Cookie and autokey. We request the cookie
4270 			 * only when the this peer and the other peer
4271 			 * are synchronized. But, this peer needs the
4272 			 * autokey values when the cookie is zero. Any
4273 			 * time we regenerate the key list, we offer the
4274 			 * autokey values without being asked. If for
4275 			 * some reason either peer finds a broken
4276 			 * autokey sequence, the autokey exchange is
4277 			 * used to retrieve the autokey values.
4278 			 */
4279 			else if (   sys_leap != LEAP_NOTINSYNC
4280 				 && peer->leap != LEAP_NOTINSYNC
4281 				 && !(peer->crypto & CRYPTO_FLAG_COOK))
4282 				exten = crypto_args(peer, CRYPTO_COOK,
4283 				    peer->associd, NULL);
4284 			else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
4285 				exten = crypto_args(peer, CRYPTO_AUTO,
4286 				    peer->associd, NULL);
4287 			else if (   peer->flags & FLAG_ASSOC
4288 				 && peer->crypto & CRYPTO_FLAG_SIGN)
4289 				exten = crypto_args(peer, CRYPTO_AUTO |
4290 				    CRYPTO_RESP, peer->assoc, NULL);
4291 
4292 			/*
4293 			 * Wait for clock sync, then sign the
4294 			 * certificate and retrieve the leapsecond
4295 			 * values.
4296 			 */
4297 			else if (sys_leap == LEAP_NOTINSYNC)
4298 				break;
4299 
4300 			else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
4301 				exten = crypto_args(peer, CRYPTO_SIGN,
4302 				    peer->associd, hostval.ptr);
4303 			else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
4304 				exten = crypto_args(peer, CRYPTO_LEAP,
4305 				    peer->associd, NULL);
4306 			break;
4307 
4308 		/*
4309 		 * In client mode the parameter, certificate, identity,
4310 		 * cookie and sign exchanges are required. The
4311 		 * leapsecond exchange is optional. If broadcast client
4312 		 * mode the same exchanges are required, except that the
4313 		 * autokey exchange is substitutes for the cookie
4314 		 * exchange, since the cookie is always zero. If the
4315 		 * broadcast client finds a broken autokey sequence, it
4316 		 * uses the autokey exchange to retrieve the autokey
4317 		 * values.
4318 		 */
4319 		case MODE_CLIENT:
4320 
4321 			/*
4322 			 * Parameter, certificate and identity.
4323 			 */
4324 			if (!peer->crypto)
4325 				exten = crypto_args(peer, CRYPTO_ASSOC,
4326 				    peer->associd, hostval.ptr);
4327 			else if (!(peer->crypto & CRYPTO_FLAG_CERT))
4328 				exten = crypto_args(peer, CRYPTO_CERT,
4329 				    peer->associd, peer->issuer);
4330 			else if (!(peer->crypto & CRYPTO_FLAG_VRFY))
4331 				exten = crypto_args(peer,
4332 				    crypto_ident(peer), peer->associd,
4333 				    NULL);
4334 
4335 			/*
4336 			 * Cookie and autokey. These are requests, but
4337 			 * we use the peer association ID with autokey
4338 			 * rather than our own.
4339 			 */
4340 			else if (!(peer->crypto & CRYPTO_FLAG_COOK))
4341 				exten = crypto_args(peer, CRYPTO_COOK,
4342 				    peer->associd, NULL);
4343 			else if (!(peer->crypto & CRYPTO_FLAG_AUTO))
4344 				exten = crypto_args(peer, CRYPTO_AUTO,
4345 				    peer->assoc, NULL);
4346 
4347 			/*
4348 			 * Wait for clock sync, then sign the
4349 			 * certificate and retrieve the leapsecond
4350 			 * values.
4351 			 */
4352 			else if (sys_leap == LEAP_NOTINSYNC)
4353 				break;
4354 
4355 			else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
4356 				exten = crypto_args(peer, CRYPTO_SIGN,
4357 				    peer->associd, hostval.ptr);
4358 			else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
4359 				exten = crypto_args(peer, CRYPTO_LEAP,
4360 				    peer->associd, NULL);
4361 			break;
4362 		}
4363 
4364 		/*
4365 		 * Add a queued extension field if present. This is
4366 		 * always a request message, so the reply ID is already
4367 		 * in the message. If an error occurs, the error bit is
4368 		 * lit in the response.
4369 		 */
4370 		if (peer->cmmd != NULL) {
4371 			u_int32 temp32;
4372 
4373 			temp32 = CRYPTO_RESP;
4374 			peer->cmmd->opcode |= htonl(temp32);
4375 			sendlen += crypto_xmit(peer, &xpkt, NULL,
4376 			    sendlen, peer->cmmd, 0);
4377 			free(peer->cmmd);
4378 			peer->cmmd = NULL;
4379 		}
4380 
4381 		/*
4382 		 * Add an extension field created above. All but the
4383 		 * autokey response message are request messages.
4384 		 */
4385 		if (exten != NULL) {
4386 			if (exten->opcode != 0)
4387 				sendlen += crypto_xmit(peer, &xpkt,
4388 				    NULL, sendlen, exten, 0);
4389 			free(exten);
4390 		}
4391 
4392 		/*
4393 		 * Calculate the next session key. Since extension
4394 		 * fields are present, the cookie value is zero.
4395 		 */
4396 		if (sendlen > (int)LEN_PKT_NOMAC) {
4397 			session_key(&peer->dstadr->sin, &peer->srcadr,
4398 			    xkeyid, 0, 2);
4399 		}
4400 	}
4401 #endif	/* AUTOKEY */
4402 
4403 	/*
4404 	 * Transmit a-priori timestamps
4405 	 */
4406 	get_systime(&xmt_tx);
4407 	if (peer->flip == 0) {		/* basic mode */
4408 		peer->aorg = xmt_tx;
4409 		HTONL_FP(&xmt_tx, &xpkt.xmt);
4410 	} else {			/* interleaved modes */
4411 		if (peer->hmode == MODE_BROADCAST) { /* bcst */
4412 			HTONL_FP(&xmt_tx, &xpkt.xmt);
4413 			if (peer->flip > 0)
4414 				HTONL_FP(&peer->borg, &xpkt.org);
4415 			else
4416 				HTONL_FP(&peer->aorg, &xpkt.org);
4417 		} else {		/* symmetric */
4418 			if (peer->flip > 0)
4419 				HTONL_FP(&peer->borg, &xpkt.xmt);
4420 			else
4421 				HTONL_FP(&peer->aorg, &xpkt.xmt);
4422 		}
4423 	}
4424 	xkeyid = peer->keyid;
4425 	authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
4426 	if (authlen == 0) {
4427 		report_event(PEVNT_AUTH, peer, "no key");
4428 		peer->flash |= TEST5;		/* auth error */
4429 		peer->badauth++;
4430 		return;
4431 	}
4432 	sendlen += authlen;
4433 #ifdef AUTOKEY
4434 	if (xkeyid > NTP_MAXKEY)
4435 		authtrust(xkeyid, 0);
4436 #endif	/* AUTOKEY */
4437 	if (sendlen > sizeof(xpkt)) {
4438 		msyslog(LOG_ERR, "peer_xmit: buffer overflow %zu", sendlen);
4439 		exit (-1);
4440 	}
4441 	peer->t21_bytes = sendlen;
4442 	sendpkt(&peer->srcadr, peer->dstadr,
4443 		sys_ttl[(peer->ttl >= sys_ttlmax) ? sys_ttlmax : peer->ttl],
4444 		&xpkt, sendlen);
4445 	peer->sent++;
4446 	peer->throttle += (1 << peer->minpoll) - 2;
4447 
4448 	/*
4449 	 * Capture a-posteriori timestamps
4450 	 */
4451 	get_systime(&xmt_ty);
4452 	if (peer->flip != 0) {			/* interleaved modes */
4453 		if (peer->flip > 0)
4454 			peer->aorg = xmt_ty;
4455 		else
4456 			peer->borg = xmt_ty;
4457 		peer->flip = -peer->flip;
4458 	}
4459 	L_SUB(&xmt_ty, &xmt_tx);
4460 	LFPTOD(&xmt_ty, peer->xleave);
4461 #ifdef AUTOKEY
4462 	DPRINTF(1, ("peer_xmit: at %ld %s->%s mode %d keyid %08x len %zu index %d\n",
4463 		    current_time, latoa(peer->dstadr),
4464 		    ntoa(&peer->srcadr), peer->hmode, xkeyid, sendlen,
4465 		    peer->keynumber));
4466 #else	/* !AUTOKEY follows */
4467 	DPRINTF(1, ("peer_xmit: at %ld %s->%s mode %d keyid %08x len %zu\n",
4468 		    current_time, peer->dstadr ?
4469 		    ntoa(&peer->dstadr->sin) : "-",
4470 		    ntoa(&peer->srcadr), peer->hmode, xkeyid, sendlen));
4471 #endif	/* !AUTOKEY */
4472 
4473 	return;
4474 }
4475 
4476 
4477 #ifdef LEAP_SMEAR
4478 
4479 static void
4480 leap_smear_add_offs(
4481 	l_fp *t,
4482 	l_fp *t_recv
4483 	)
4484 {
4485 
4486 	L_ADD(t, &leap_smear.offset);
4487 
4488 	/*
4489 	** XXX: Should the smear be added to the root dispersion?
4490 	*/
4491 
4492 	return;
4493 }
4494 
4495 #endif /* LEAP_SMEAR */
4496 
4497 
4498 /*
4499  * fast_xmit - Send packet for nonpersistent association. Note that
4500  * neither the source or destination can be a broadcast address.
4501  */
4502 static void
4503 fast_xmit(
4504 	struct recvbuf *rbufp,	/* receive packet pointer */
4505 	int	xmode,		/* receive mode */  /* XXX: HMS: really? */
4506 	keyid_t	xkeyid,		/* transmit key ID */
4507 	int	flags		/* restrict mask */
4508 	)
4509 {
4510 	struct pkt xpkt;	/* transmit packet structure */
4511 	struct pkt *rpkt;	/* receive packet structure */
4512 	l_fp	xmt_tx, xmt_ty;
4513 	size_t	sendlen;
4514 #ifdef AUTOKEY
4515 	u_int32	temp32;
4516 #endif
4517 
4518 	/*
4519 	 * Initialize transmit packet header fields from the receive
4520 	 * buffer provided. We leave the fields intact as received, but
4521 	 * set the peer poll at the maximum of the receive peer poll and
4522 	 * the system minimum poll (ntp_minpoll). This is for KoD rate
4523 	 * control and not strictly specification compliant, but doesn't
4524 	 * break anything.
4525 	 *
4526 	 * If the gazinta was from a multicast address, the gazoutta
4527 	 * must go out another way.
4528 	 */
4529 	rpkt = &rbufp->recv_pkt;
4530 	if (rbufp->dstadr->flags & INT_MCASTOPEN)
4531 		rbufp->dstadr = findinterface(&rbufp->recv_srcadr);
4532 
4533 	/*
4534 	 * If this is a kiss-o'-death (KoD) packet, show leap
4535 	 * unsynchronized, stratum zero, reference ID the four-character
4536 	 * kiss code and (???) system root delay. Note we don't reveal
4537 	 * the local time, so these packets can't be used for
4538 	 * synchronization.
4539 	 */
4540 	if (flags & RES_KOD) {
4541 		sys_kodsent++;
4542 		xpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOTINSYNC,
4543 		    PKT_VERSION(rpkt->li_vn_mode), xmode);
4544 		xpkt.stratum = STRATUM_PKT_UNSPEC;
4545 		xpkt.ppoll = max(rpkt->ppoll, ntp_minpoll);
4546 		xpkt.precision = rpkt->precision;
4547 		memcpy(&xpkt.refid, "RATE", 4);
4548 		xpkt.rootdelay = rpkt->rootdelay;
4549 		xpkt.rootdisp = rpkt->rootdisp;
4550 		xpkt.reftime = rpkt->reftime;
4551 		xpkt.org = rpkt->xmt;
4552 		xpkt.rec = rpkt->xmt;
4553 		xpkt.xmt = rpkt->xmt;
4554 
4555 	/*
4556 	 * This is a normal packet. Use the system variables.
4557 	 */
4558 	} else {
4559 		double this_rootdisp;
4560 		l_fp this_ref_time;
4561 
4562 #ifdef LEAP_SMEAR
4563 		/*
4564 		 * Make copies of the variables which can be affected by smearing.
4565 		 */
4566 		l_fp this_recv_time;
4567 #endif
4568 
4569 		/*
4570 		 * If we are inside the leap smear interval we add
4571 		 * the current smear offset to:
4572 		 * - the packet receive time,
4573 		 * - the packet transmit time,
4574 		 * - and eventually to the reftime to make sure the
4575 		 *   reftime isn't later than the transmit/receive times.
4576 		 */
4577 		xpkt.li_vn_mode = PKT_LI_VN_MODE(xmt_leap,
4578 		    PKT_VERSION(rpkt->li_vn_mode), xmode);
4579 
4580 		xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
4581 		xpkt.ppoll = max(rpkt->ppoll, ntp_minpoll);
4582 		xpkt.precision = sys_precision;
4583 		xpkt.refid = sys_refid;
4584 		xpkt.rootdelay = HTONS_FP(DTOFP(sys_rootdelay));
4585 
4586 		/*
4587 		** Server Response Fuzzing
4588 		**
4589 		** Which values do we want to use for reftime and rootdisp?
4590 		*/
4591 
4592 		if (   MODE_SERVER == xmode
4593 		    && RES_SRVRSPFUZ & flags) {
4594 			if (current_time < p2_time) {
4595 				this_ref_time = p2_reftime;
4596 				this_rootdisp = p2_rootdisp;
4597 			} else if (current_time < prev_time) {
4598 				this_ref_time = prev_reftime;
4599 				this_rootdisp = prev_rootdisp;
4600 			} else {
4601 				this_ref_time = sys_reftime;
4602 				this_rootdisp = sys_rootdisp;
4603 			}
4604 
4605 			SRVRSP_FUZZ(this_ref_time);
4606 		} else {
4607 			this_ref_time = sys_reftime;
4608 			this_rootdisp = sys_rootdisp;
4609 		}
4610 
4611 		/*
4612 		** ROOT DISPERSION
4613 		*/
4614 
4615 		xpkt.rootdisp = HTONS_FP(DTOUFP(this_rootdisp));
4616 
4617 		/*
4618 		** REFTIME
4619 		*/
4620 
4621 #ifdef LEAP_SMEAR
4622 		if (leap_smear.in_progress) {
4623 			/* adjust the reftime by the same amount as the
4624 			 * leap smear, as we don't want to risk the
4625 			 * reftime being later than the transmit time.
4626 			 */
4627 			leap_smear_add_offs(&this_ref_time, NULL);
4628 		}
4629 #endif
4630 
4631 		HTONL_FP(&this_ref_time, &xpkt.reftime);
4632 
4633 		/*
4634 		** REFID
4635 		*/
4636 
4637 #ifdef LEAP_SMEAR
4638 		if (leap_smear.in_progress) {
4639 			xpkt.refid = convertLFPToRefID(leap_smear.offset);
4640 			DPRINTF(2, ("fast_xmit: leap_smear.in_progress: refid %8x, smear %s\n",
4641 				ntohl(xpkt.refid),
4642 				lfptoa(&leap_smear.offset, 8)
4643 				));
4644 		}
4645 #endif
4646 
4647 		/*
4648 		** ORIGIN
4649 		*/
4650 
4651 		xpkt.org = rpkt->xmt;
4652 
4653 		/*
4654 		** RECEIVE
4655 		*/
4656 #ifdef LEAP_SMEAR
4657 		this_recv_time = rbufp->recv_time;
4658 		if (leap_smear.in_progress)
4659 			leap_smear_add_offs(&this_recv_time, NULL);
4660 		HTONL_FP(&this_recv_time, &xpkt.rec);
4661 #else
4662 		HTONL_FP(&rbufp->recv_time, &xpkt.rec);
4663 #endif
4664 
4665 		/*
4666 		** TRANSMIT
4667 		*/
4668 
4669 		get_systime(&xmt_tx);
4670 #ifdef LEAP_SMEAR
4671 		if (leap_smear.in_progress)
4672 			leap_smear_add_offs(&xmt_tx, &this_recv_time);
4673 #endif
4674 		HTONL_FP(&xmt_tx, &xpkt.xmt);
4675 	}
4676 
4677 #ifdef HAVE_NTP_SIGND
4678 	if (flags & RES_MSSNTP) {
4679 		send_via_ntp_signd(rbufp, xmode, xkeyid, flags, &xpkt);
4680 		return;
4681 	}
4682 #endif /* HAVE_NTP_SIGND */
4683 
4684 	/*
4685 	 * If the received packet contains a MAC, the transmitted packet
4686 	 * is authenticated and contains a MAC. If not, the transmitted
4687 	 * packet is not authenticated.
4688 	 */
4689 	sendlen = LEN_PKT_NOMAC;
4690 	if (rbufp->recv_length == sendlen) {
4691 		sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, 0, &xpkt,
4692 		    sendlen);
4693 		DPRINTF(1, ("fast_xmit: at %ld %s->%s mode %d len %lu\n",
4694 			    current_time, stoa(&rbufp->dstadr->sin),
4695 			    stoa(&rbufp->recv_srcadr), xmode,
4696 			    (u_long)sendlen));
4697 		return;
4698 	}
4699 
4700 	/*
4701 	 * The received packet contains a MAC, so the transmitted packet
4702 	 * must be authenticated. For symmetric key cryptography, use
4703 	 * the predefined and trusted symmetric keys to generate the
4704 	 * cryptosum. For autokey cryptography, use the server private
4705 	 * value to generate the cookie, which is unique for every
4706 	 * source-destination-key ID combination.
4707 	 */
4708 #ifdef AUTOKEY
4709 	if (xkeyid > NTP_MAXKEY) {
4710 		keyid_t cookie;
4711 
4712 		/*
4713 		 * The only way to get here is a reply to a legitimate
4714 		 * client request message, so the mode must be
4715 		 * MODE_SERVER. If an extension field is present, there
4716 		 * can be only one and that must be a command. Do what
4717 		 * needs, but with private value of zero so the poor
4718 		 * jerk can decode it. If no extension field is present,
4719 		 * use the cookie to generate the session key.
4720 		 */
4721 		cookie = session_key(&rbufp->recv_srcadr,
4722 		    &rbufp->dstadr->sin, 0, sys_private, 0);
4723 		if ((size_t)rbufp->recv_length > sendlen + MAX_MAC_LEN) {
4724 			session_key(&rbufp->dstadr->sin,
4725 			    &rbufp->recv_srcadr, xkeyid, 0, 2);
4726 			temp32 = CRYPTO_RESP;
4727 			rpkt->exten[0] |= htonl(temp32);
4728 			sendlen += crypto_xmit(NULL, &xpkt, rbufp,
4729 			    sendlen, (struct exten *)rpkt->exten,
4730 			    cookie);
4731 		} else {
4732 			session_key(&rbufp->dstadr->sin,
4733 			    &rbufp->recv_srcadr, xkeyid, cookie, 2);
4734 		}
4735 	}
4736 #endif	/* AUTOKEY */
4737 	get_systime(&xmt_tx);
4738 	sendlen += authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
4739 #ifdef AUTOKEY
4740 	if (xkeyid > NTP_MAXKEY)
4741 		authtrust(xkeyid, 0);
4742 #endif	/* AUTOKEY */
4743 	sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, 0, &xpkt, sendlen);
4744 	get_systime(&xmt_ty);
4745 	L_SUB(&xmt_ty, &xmt_tx);
4746 	sys_authdelay = xmt_ty;
4747 	DPRINTF(1, ("fast_xmit: at %ld %s->%s mode %d keyid %08x len %lu\n",
4748 		    current_time, ntoa(&rbufp->dstadr->sin),
4749 		    ntoa(&rbufp->recv_srcadr), xmode, xkeyid,
4750 		    (u_long)sendlen));
4751 }
4752 
4753 
4754 /*
4755  * pool_xmit - resolve hostname or send unicast solicitation for pool.
4756  */
4757 static void
4758 pool_xmit(
4759 	struct peer *pool	/* pool solicitor association */
4760 	)
4761 {
4762 #ifdef WORKER
4763 	struct pkt		xpkt;	/* transmit packet structure */
4764 	struct addrinfo		hints;
4765 	int			rc;
4766 	struct interface *	lcladr;
4767 	sockaddr_u *		rmtadr;
4768 	r4addr			r4a;
4769 	u_short			restrict_mask;
4770 	struct peer *		p;
4771 	l_fp			xmt_tx;
4772 
4773 	DEBUG_REQUIRE(pool);
4774 	if (NULL == pool->ai) {
4775 		if (pool->addrs != NULL) {
4776 			/* free() is used with copy_addrinfo_list() */
4777 			free(pool->addrs);
4778 			pool->addrs = NULL;
4779 		}
4780 		ZERO(hints);
4781 		hints.ai_family = AF(&pool->srcadr);
4782 		hints.ai_socktype = SOCK_DGRAM;
4783 		hints.ai_protocol = IPPROTO_UDP;
4784 		/* ignore getaddrinfo_sometime() errors, we will retry */
4785 		rc = getaddrinfo_sometime(
4786 			pool->hostname,
4787 			"ntp",
4788 			&hints,
4789 			0,			/* no retry */
4790 			&pool_name_resolved,
4791 			(void *)(intptr_t)pool->associd);
4792 		if (!rc)
4793 			DPRINTF(1, ("pool DNS lookup %s started\n",
4794 				pool->hostname));
4795 		else
4796 			msyslog(LOG_ERR,
4797 				"unable to start pool DNS %s: %m",
4798 				pool->hostname);
4799 		return;
4800 	}
4801 
4802 	do {
4803 		/* copy_addrinfo_list ai_addr points to a sockaddr_u */
4804 		rmtadr = (sockaddr_u *)(void *)pool->ai->ai_addr;
4805 		pool->ai = pool->ai->ai_next;
4806 		p = findexistingpeer(rmtadr, NULL, NULL, MODE_CLIENT, 0, NULL);
4807 	} while (p != NULL && pool->ai != NULL);
4808 	if (p != NULL)
4809 		return;	/* out of addresses, re-query DNS next poll */
4810 	restrictions(rmtadr, &r4a);
4811 	restrict_mask = r4a.rflags;
4812 	if (RES_FLAGS & restrict_mask)
4813 		restrict_source(rmtadr, 0,
4814 				current_time + POOL_SOLICIT_WINDOW + 1);
4815 	lcladr = findinterface(rmtadr);
4816 	memset(&xpkt, 0, sizeof(xpkt));
4817 	xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap, pool->version,
4818 					 MODE_CLIENT);
4819 	xpkt.stratum = STRATUM_TO_PKT(sys_stratum);
4820 	xpkt.ppoll = pool->hpoll;
4821 	xpkt.precision = sys_precision;
4822 	xpkt.refid = sys_refid;
4823 	xpkt.rootdelay = HTONS_FP(DTOFP(sys_rootdelay));
4824 	xpkt.rootdisp = HTONS_FP(DTOUFP(sys_rootdisp));
4825 	/* Bug 3596: What are the pros/cons of using sys_reftime here? */
4826 	HTONL_FP(&sys_reftime, &xpkt.reftime);
4827 
4828 	/* HMS: the following is better done after the ntp_random() calls */
4829 	get_systime(&xmt_tx);
4830 	pool->aorg = xmt_tx;
4831 
4832 	if (FLAG_LOOPNONCE & pool->flags) {
4833 		l_fp nonce;
4834 
4835 		do {
4836 			nonce.l_ui = ntp_random();
4837 		} while (0 == nonce.l_ui);
4838 		do {
4839 			nonce.l_uf = ntp_random();
4840 		} while (0 == nonce.l_uf);
4841 		pool->nonce = nonce;
4842 		HTONL_FP(&nonce, &xpkt.xmt);
4843 	} else {
4844 		L_CLR(&pool->nonce);
4845 		HTONL_FP(&xmt_tx, &xpkt.xmt);
4846 	}
4847 	sendpkt(rmtadr, lcladr,
4848 		sys_ttl[(pool->ttl >= sys_ttlmax) ? sys_ttlmax : pool->ttl],
4849 		&xpkt, LEN_PKT_NOMAC);
4850 	pool->sent++;
4851 	pool->throttle += (1 << pool->minpoll) - 2;
4852 	DPRINTF(1, ("pool_xmit: at %ld %s->%s pool\n",
4853 		    current_time, latoa(lcladr), stoa(rmtadr)));
4854 	msyslog(LOG_INFO, "Soliciting pool server %s", stoa(rmtadr));
4855 #endif	/* WORKER */
4856 }
4857 
4858 
4859 #ifdef AUTOKEY
4860 	/*
4861 	 * group_test - test if this is the same group
4862 	 *
4863 	 * host		assoc		return		action
4864 	 * none		none		0		mobilize *
4865 	 * none		group		0		mobilize *
4866 	 * group	none		0		mobilize *
4867 	 * group	group		1		mobilize
4868 	 * group	different	1		ignore
4869 	 * * ignore if notrust
4870 	 */
4871 int
4872 group_test(
4873 	char	*grp,
4874 	char	*ident
4875 	)
4876 {
4877 	if (grp == NULL)
4878 		return (0);
4879 
4880 	if (strcmp(grp, sys_groupname) == 0)
4881 		return (0);
4882 
4883 	if (ident == NULL)
4884 		return (1);
4885 
4886 	if (strcmp(grp, ident) == 0)
4887 		return (0);
4888 
4889 	return (1);
4890 }
4891 #endif /* AUTOKEY */
4892 
4893 
4894 #ifdef WORKER
4895 void
4896 pool_name_resolved(
4897 	int			rescode,
4898 	int			gai_errno,
4899 	void *			context,
4900 	const char *		name,
4901 	const char *		service,
4902 	const struct addrinfo *	hints,
4903 	const struct addrinfo *	res
4904 	)
4905 {
4906 	struct peer *	pool;	/* pool solicitor association */
4907 	associd_t	assoc;
4908 
4909 	if (rescode) {
4910 		msyslog(LOG_ERR,
4911 			"error resolving pool %s: %s (%d)",
4912 			name, gai_strerror(rescode), rescode);
4913 		return;
4914 	}
4915 
4916 	assoc = (associd_t)(intptr_t)context;
4917 	pool = findpeerbyassoc(assoc);
4918 	if (NULL == pool) {
4919 		msyslog(LOG_ERR,
4920 			"Could not find assoc %u for pool DNS %s",
4921 			assoc, name);
4922 		return;
4923 	}
4924 	DPRINTF(1, ("pool DNS %s completed\n", name));
4925 	pool->addrs = copy_addrinfo_list(res);
4926 	pool->ai = pool->addrs;
4927 	pool_xmit(pool);
4928 
4929 }
4930 #endif	/* WORKER */
4931 
4932 
4933 #ifdef AUTOKEY
4934 /*
4935  * key_expire - purge the key list
4936  */
4937 void
4938 key_expire(
4939 	struct peer *peer	/* peer structure pointer */
4940 	)
4941 {
4942 	int i;
4943 
4944 	if (peer->keylist != NULL) {
4945 		for (i = 0; i <= peer->keynumber; i++)
4946 			authtrust(peer->keylist[i], 0);
4947 		free(peer->keylist);
4948 		peer->keylist = NULL;
4949 	}
4950 	value_free(&peer->sndval);
4951 	peer->keynumber = 0;
4952 	peer->flags &= ~FLAG_ASSOC;
4953 	DPRINTF(1, ("key_expire: at %lu associd %d\n", current_time,
4954 		    peer->associd));
4955 }
4956 #endif	/* AUTOKEY */
4957 
4958 
4959 /*
4960  * local_refid(peer) - check peer refid to avoid selecting peers
4961  *		       currently synced to this ntpd.
4962  */
4963 static int
4964 local_refid(
4965 	struct peer *	p
4966 	)
4967 {
4968 	endpt *	unicast_ep;
4969 
4970 	if (p->dstadr != NULL && !(INT_MCASTIF & p->dstadr->flags))
4971 		unicast_ep = p->dstadr;
4972 	else
4973 		unicast_ep = findinterface(&p->srcadr);
4974 
4975 	if (unicast_ep != NULL && p->refid == unicast_ep->addr_refid)
4976 		return TRUE;
4977 	else
4978 		return FALSE;
4979 }
4980 
4981 
4982 /*
4983  * Determine if the peer is unfit for synchronization
4984  *
4985  * A peer is unfit for synchronization if
4986  * > TEST10 bad leap or stratum below floor or at or above ceiling
4987  * > TEST11 root distance exceeded for remote peer
4988  * > TEST12 a direct or indirect synchronization loop would form
4989  * > TEST13 unreachable or noselect
4990  */
4991 int				/* FALSE if fit, TRUE if unfit */
4992 peer_unfit(
4993 	struct peer *peer	/* peer structure pointer */
4994 	)
4995 {
4996 	int	rval = 0;
4997 
4998 	/*
4999 	 * A stratum error occurs if (1) the server has never been
5000 	 * synchronized, (2) the server stratum is below the floor or
5001 	 * greater than or equal to the ceiling.
5002 	 */
5003 	if (   peer->leap == LEAP_NOTINSYNC
5004 	    || peer->stratum < sys_floor
5005 	    || peer->stratum >= sys_ceiling) {
5006 		rval |= TEST10;		/* bad synch or stratum */
5007 	}
5008 
5009 	/*
5010 	 * A distance error for a remote peer occurs if the root
5011 	 * distance is greater than or equal to the distance threshold
5012 	 * plus the increment due to one host poll interval.
5013 	 */
5014 	if (   !(peer->flags & FLAG_REFCLOCK)
5015 	    && root_distance(peer) >= sys_maxdist
5016 				      + clock_phi * ULOGTOD(peer->hpoll)) {
5017 		rval |= TEST11;		/* distance exceeded */
5018 	}
5019 
5020 	/*
5021 	 * A loop error occurs if the remote peer is synchronized to the
5022 	 * local peer or if the remote peer is synchronized to the same
5023 	 * server as the local peer but only if the remote peer is
5024 	 * neither a reference clock nor an orphan.
5025 	 */
5026 	if (peer->stratum > 1 && local_refid(peer)) {
5027 		rval |= TEST12;		/* synchronization loop */
5028 	}
5029 
5030 	/*
5031 	 * An unreachable error occurs if the server is unreachable or
5032 	 * the noselect bit is set.
5033 	 */
5034 	if (!peer->reach || (peer->flags & FLAG_NOSELECT)) {
5035 		rval |= TEST13;		/* unreachable */
5036 	}
5037 
5038 	peer->flash &= ~PEER_TEST_MASK;
5039 	peer->flash |= rval;
5040 	return (rval);
5041 }
5042 
5043 
5044 /*
5045  * Find the precision of this particular machine
5046  */
5047 #define MINSTEP		20e-9	/* minimum clock increment (s) */
5048 #define MAXSTEP		1	/* maximum clock increment (s) */
5049 #define MINCHANGES	12	/* minimum number of step samples */
5050 #define MAXLOOPS	((int)(1. / MINSTEP))	/* avoid infinite loop */
5051 
5052 /*
5053  * This routine measures the system precision defined as the minimum of
5054  * a sequence of differences between successive readings of the system
5055  * clock. However, if a difference is less than MINSTEP, the clock has
5056  * been read more than once during a clock tick and the difference is
5057  * ignored. We set MINSTEP greater than zero in case something happens
5058  * like a cache miss, and to tolerate underlying system clocks which
5059  * ensure each reading is strictly greater than prior readings while
5060  * using an underlying stepping (not interpolated) clock.
5061  *
5062  * sys_tick and sys_precision represent the time to read the clock for
5063  * systems with high-precision clocks, and the tick interval or step
5064  * size for lower-precision stepping clocks.
5065  *
5066  * This routine also measures the time to read the clock on stepping
5067  * system clocks by counting the number of readings between changes of
5068  * the underlying clock.  With either type of clock, the minimum time
5069  * to read the clock is saved as sys_fuzz, and used to ensure the
5070  * get_systime() readings always increase and are fuzzed below sys_fuzz.
5071  */
5072 void
5073 measure_precision(void)
5074 {
5075 	/*
5076 	 * With sys_fuzz set to zero, get_systime() fuzzing of low bits
5077 	 * is effectively disabled.  trunc_os_clock is FALSE to disable
5078 	 * get_ostime() simulation of a low-precision system clock.
5079 	 */
5080 	set_sys_fuzz(0.);
5081 	trunc_os_clock = FALSE;
5082 	measured_tick = measure_tick_fuzz();
5083 	set_sys_tick_precision(measured_tick);
5084 	msyslog(LOG_INFO, "proto: precision = %.3f usec (%d)",
5085 		sys_tick * 1e6, sys_precision);
5086 	if (sys_fuzz < sys_tick) {
5087 		msyslog(LOG_NOTICE, "proto: fuzz beneath %.3f usec",
5088 			sys_fuzz * 1e6);
5089 	}
5090 }
5091 
5092 
5093 /*
5094  * measure_tick_fuzz()
5095  *
5096  * measures the minimum time to read the clock (stored in sys_fuzz)
5097  * and returns the tick, the larger of the minimum increment observed
5098  * between successive clock readings and the time to read the clock.
5099  */
5100 double
5101 measure_tick_fuzz(void)
5102 {
5103 	l_fp	minstep;	/* MINSTEP as l_fp */
5104 	l_fp	val;		/* current seconds fraction */
5105 	l_fp	last;		/* last seconds fraction */
5106 	l_fp	ldiff;		/* val - last */
5107 	double	tick;		/* computed tick value */
5108 	double	diff;
5109 	long	repeats;
5110 	long	max_repeats;
5111 	int	changes;
5112 	int	i;		/* log2 precision */
5113 
5114 	tick = MAXSTEP;
5115 	max_repeats = 0;
5116 	repeats = 0;
5117 	changes = 0;
5118 	DTOLFP(MINSTEP, &minstep);
5119 	get_systime(&last);
5120 	for (i = 0; i < MAXLOOPS && changes < MINCHANGES; i++) {
5121 		get_systime(&val);
5122 		ldiff = val;
5123 		L_SUB(&ldiff, &last);
5124 		last = val;
5125 		if (L_ISGT(&ldiff, &minstep)) {
5126 			max_repeats = max(repeats, max_repeats);
5127 			repeats = 0;
5128 			changes++;
5129 			LFPTOD(&ldiff, diff);
5130 			tick = min(diff, tick);
5131 		} else {
5132 			repeats++;
5133 		}
5134 	}
5135 	if (changes < MINCHANGES) {
5136 		msyslog(LOG_ERR, "Fatal error: precision could not be measured (MINSTEP too large?)");
5137 		exit(1);
5138 	}
5139 
5140 	if (0 == max_repeats) {
5141 		set_sys_fuzz(tick);
5142 	} else {
5143 		set_sys_fuzz(tick / max_repeats);
5144 	}
5145 
5146 	return tick;
5147 }
5148 
5149 
5150 void
5151 set_sys_tick_precision(
5152 	double tick
5153 	)
5154 {
5155 	int i;
5156 
5157 	if (tick > 1.) {
5158 		msyslog(LOG_ERR,
5159 			"unsupported tick %.3f > 1s ignored", tick);
5160 		return;
5161 	}
5162 	if (tick < measured_tick) {
5163 		msyslog(LOG_ERR,
5164 			"proto: tick %.3f less than measured tick %.3f, ignored",
5165 			tick, measured_tick);
5166 		return;
5167 	} else if (tick > measured_tick) {
5168 		trunc_os_clock = TRUE;
5169 		msyslog(LOG_NOTICE,
5170 			"proto: truncating system clock to multiples of %.9f",
5171 			tick);
5172 	}
5173 	sys_tick = tick;
5174 
5175 	/*
5176 	 * Find the nearest power of two.
5177 	 */
5178 	for (i = 0; tick <= 1; i--)
5179 		tick *= 2;
5180 	if (tick - 1 > 1 - tick / 2)
5181 		i++;
5182 
5183 	sys_precision = (s_char)i;
5184 }
5185 
5186 
5187 /*
5188  * init_proto - initialize the protocol module's data
5189  */
5190 void
5191 init_proto(void)
5192 {
5193 	l_fp	dummy;
5194 	int	i;
5195 
5196 	/*
5197 	 * Fill in the sys_* stuff.  Default is don't listen to
5198 	 * broadcasting, require authentication.
5199 	 */
5200 	set_sys_leap(LEAP_NOTINSYNC);
5201 	sys_stratum = STRATUM_UNSPEC;
5202 	memcpy(&sys_refid, "INIT", 4);
5203 	sys_peer = NULL;
5204 	sys_rootdelay = 0;
5205 	sys_rootdisp = 0;
5206 	L_CLR(&sys_reftime);
5207 	sys_jitter = 0;
5208 	measure_precision();
5209 	get_systime(&dummy);
5210 	sys_survivors = 0;
5211 	sys_manycastserver = 0;
5212 	sys_bclient = 0;
5213 	sys_bdelay = BDELAY_DEFAULT;	/*[Bug 3031] delay cutoff */
5214 	sys_authenticate = 1;
5215 	sys_stattime = current_time;
5216 	orphwait = current_time + sys_orphwait;
5217 	proto_clr_stats();
5218 	for (i = 0; i < MAX_TTL; ++i)
5219 		sys_ttl[i] = (u_char)((i * 256) / MAX_TTL);
5220 	sys_ttlmax = (MAX_TTL - 1);
5221 	hardpps_enable = 0;
5222 	stats_control = 1;
5223 }
5224 
5225 
5226 /*
5227  * proto_config - configure the protocol module
5228  */
5229 void
5230 proto_config(
5231 	int	item,
5232 	u_long	value,
5233 	double	dvalue,
5234 	sockaddr_u *svalue
5235 	)
5236 {
5237 	/*
5238 	 * Figure out what he wants to change, then do it
5239 	 */
5240 	DPRINTF(2, ("proto_config: code %d value %lu dvalue %lf\n",
5241 		    item, value, dvalue));
5242 
5243 	switch (item) {
5244 
5245 	/*
5246 	 * enable and disable commands - arguments are Boolean.
5247 	 */
5248 	case PROTO_AUTHENTICATE: /* authentication (auth) */
5249 		sys_authenticate = value;
5250 		break;
5251 
5252 	case PROTO_BROADCLIENT: /* broadcast client (bclient) */
5253 		sys_bclient = (int)value;
5254 		if (sys_bclient == 0)
5255 			io_unsetbclient();
5256 		else
5257 			io_setbclient();
5258 		break;
5259 
5260 #ifdef REFCLOCK
5261 	case PROTO_CAL:		/* refclock calibrate (calibrate) */
5262 		cal_enable = value;
5263 		break;
5264 #endif /* REFCLOCK */
5265 
5266 	case PROTO_KERNEL:	/* kernel discipline (kernel) */
5267 		select_loop(value);
5268 		break;
5269 
5270 	case PROTO_MONITOR:	/* monitoring (monitor) */
5271 		if (value)
5272 			mon_start(MON_ON);
5273 		else {
5274 			mon_stop(MON_ON);
5275 			if (mon_enabled)
5276 				msyslog(LOG_WARNING,
5277 					"restrict: 'monitor' cannot be disabled while 'limited' is enabled");
5278 		}
5279 		break;
5280 
5281 	case PROTO_NTP:		/* NTP discipline (ntp) */
5282 		ntp_enable = value;
5283 		break;
5284 
5285 	case PROTO_MODE7:	/* mode7 management (ntpdc) */
5286 		ntp_mode7 = value;
5287 		break;
5288 
5289 	case PROTO_PPS:		/* PPS discipline (pps) */
5290 		hardpps_enable = value;
5291 		break;
5292 
5293 	case PROTO_FILEGEN:	/* statistics (stats) */
5294 		stats_control = value;
5295 		break;
5296 
5297 	/*
5298 	 * tos command - arguments are double, sometimes cast to int
5299 	 */
5300 
5301 	case PROTO_BCPOLLBSTEP:	/* Broadcast Poll Backstep gate (bcpollbstep) */
5302 		sys_bcpollbstep = (u_char)dvalue;
5303 		break;
5304 
5305 	case PROTO_BEACON:	/* manycast beacon (beacon) */
5306 		sys_beacon = (int)dvalue;
5307 		break;
5308 
5309 	case PROTO_BROADDELAY:	/* default broadcast delay (bdelay) */
5310 		sys_bdelay = (dvalue ? dvalue : BDELAY_DEFAULT);
5311 		break;
5312 
5313 	case PROTO_CEILING:	/* stratum ceiling (ceiling) */
5314 		sys_ceiling = (int)dvalue;
5315 		break;
5316 
5317 	case PROTO_COHORT:	/* cohort switch (cohort) */
5318 		sys_cohort = (int)dvalue;
5319 		break;
5320 
5321 	case PROTO_FLOOR:	/* stratum floor (floor) */
5322 		sys_floor = (int)dvalue;
5323 		break;
5324 
5325 	case PROTO_MAXCLOCK:	/* maximum candidates (maxclock) */
5326 		sys_maxclock = (int)dvalue;
5327 		break;
5328 
5329 	case PROTO_MAXDIST:	/* select threshold (maxdist) */
5330 		sys_maxdist = dvalue;
5331 		break;
5332 
5333 	case PROTO_CALLDELAY:	/* modem call delay (mdelay) */
5334 		break;		/* NOT USED */
5335 
5336 	case PROTO_MINCLOCK:	/* minimum candidates (minclock) */
5337 		sys_minclock = (int)dvalue;
5338 		break;
5339 
5340 	case PROTO_MINDISP:	/* minimum distance (mindist) */
5341 		sys_mindisp = dvalue;
5342 		break;
5343 
5344 	case PROTO_MINSANE:	/* minimum survivors (minsane) */
5345 		sys_minsane = (int)dvalue;
5346 		break;
5347 
5348 	case PROTO_ORPHAN:	/* orphan stratum (orphan) */
5349 		sys_orphan = (int)dvalue;
5350 		break;
5351 
5352 	case PROTO_ORPHWAIT:	/* orphan wait (orphwait) */
5353 		orphwait -= sys_orphwait;
5354 		sys_orphwait = (dvalue >= 1) ? (int)dvalue : NTP_ORPHWAIT;
5355 		orphwait += sys_orphwait;
5356 		break;
5357 
5358 	/*
5359 	 * Miscellaneous commands
5360 	 */
5361 	case PROTO_MULTICAST_ADD: /* add group address */
5362 		if (svalue != NULL)
5363 			io_multicast_add(svalue);
5364 		sys_bclient = 1;
5365 		break;
5366 
5367 	case PROTO_MULTICAST_DEL: /* delete group address */
5368 		if (svalue != NULL)
5369 			io_multicast_del(svalue);
5370 		break;
5371 
5372 	/*
5373 	 * Peer_clear Early policy choices
5374 	 */
5375 
5376 	case PROTO_PCEDIGEST:	/* Digest */
5377 		peer_clear_digest_early = value;
5378 		break;
5379 
5380 	/*
5381 	 * Unpeer Early policy choices
5382 	 */
5383 
5384 	case PROTO_UECRYPTO:	/* Crypto */
5385 		unpeer_crypto_early = value;
5386 		break;
5387 
5388 	case PROTO_UECRYPTONAK:	/* Crypto_NAK */
5389 		unpeer_crypto_nak_early = value;
5390 		break;
5391 
5392 	case PROTO_UEDIGEST:	/* Digest */
5393 		unpeer_digest_early = value;
5394 		break;
5395 
5396 	default:
5397 		msyslog(LOG_NOTICE,
5398 		    "proto: unsupported option %d", item);
5399 	}
5400 }
5401 
5402 
5403 /*
5404  * proto_clr_stats - clear protocol stat counters
5405  */
5406 void
5407 proto_clr_stats(void)
5408 {
5409 	sys_stattime = current_time;
5410 	sys_received = 0;
5411 	sys_processed = 0;
5412 	sys_newversion = 0;
5413 	sys_oldversion = 0;
5414 	sys_declined = 0;
5415 	sys_restricted = 0;
5416 	sys_badlength = 0;
5417 	sys_badauth = 0;
5418 	sys_limitrejected = 0;
5419 	sys_kodsent = 0;
5420 	sys_lamport = 0;
5421 	sys_tsrounding = 0;
5422 }
5423